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The present invention relates to the methods, systems 
and devices designed to prove the authenticity of an entity 
and/or the integrity and/or authenticity of a message. 

The patent EP 0 311 470 Bl, whose inventors are Louis 
5 Guillou and Jean-Jacques Quisquater, describes such a 
method. Hereinafter, reference shall be made to their work by 
the terms "GQ patent" or "GQ method". Hereinafter, the 
expression "GQ2", or "GQ2 invention" or "GQ2 technology" 
shall be used to describe the present invention. 
10 According to the GQ method, an entity known as a 

"trusted authority" assigns an identity to each entity called a 
"witness" and computes its RSA signature. In a customizing 
process, the trusted authority gives the witness an identity and 
signature. Thereafter, the witness declares the following: "Here 
15 is my identity; I know its RSA signature". The witness proves 
that he knows the RSA signature of his identity without 
revealing it. Through the RSA public identification key 
distributed by the trusted authority, an entity known as a 
"controller" ascertains, without obtaining knowledge thereof, 
20 that the RSA signature corresponds to the declared identity. 
The mechanisms using the GQ method run "without transfer of 
knowledge". According to the GQ method, the witness does not 






know the RSA private key with which the trusted authority 
signs a large number of identities. 

The GQ technology described above makes use of RSA 
technology. However, whereas RSA technology truly depends 
5 on the factorization of the modulus n, this dependence is not 
an equivalence, indeed far from it, as can be seen in what are 
called "multiplicative attacks" against the various standards of 
digital signatures implementing RSA technology. 

The goal of the GQ2 technology is twofold: on the one 

10 hand, to improve the performance characteristics of RSA 
technology and, on the other hand, to avert the problems 
inherent in RSA technology. Knowledge of the GQ2 private key 
is equivalent to knowledge of the factorization of the modulus 
n. Any attack on the triplets GQ2 leads to factorization of the 

15 modulus n: this time there is equivalence. With the GQ2 
technology, the work load is reduced both for the signing or 
self-authenticating entity and for the controller entity. 
Through a better use of the problem of factorizing in terms of 
both security and performance, the GQ2 technology averts the 

20 drawbacks of RSA technology. 

The GQ method implements modulo computations of 
numbers comprising 512 bits or more. These computations 
relate to numbers having substantially the same size raised to 
powers of the order of 2 16 +1. But existing microelectronic 

25 infrastructures, especially in the field of bank cards, make use 
of monolithic self-programmable microprocessors without 
arithmetical coprocessors. The work load related to the 
multiple arithmetical applications involved in methods such as 
the GQ method leads to computation times which, in certain 

30 cases, prove to be disadvantageous for consumers using bank 
cards to pay for their purchases. It may be recalled here that, 
in seeking to increase the security of payment cards, the 
banking authorities have raised a problem that is particularly 
difficult to solve. In fact, two apparently contradictory 

3 5 questions have to be examined: on the one hand, increasing 




security by using increasingly lengthy and distinct keys for 
each card while, on the other hand, preventing the work load 
from leading to excessive computation times for the users. 
This problem becomes especially acute inasmuch as it is. also 
5 necessary to take account of the existing infrastructure and 
the existing microprocessor components. 

The GQ2 technology is aimed at providing a solution to 
this problem while still increasing security. 

Method ^ oPWXMl/^tX^ 

10 More particularly, the invention relates to a method 

designed to prove the following to a controller entity: 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity. 
This proof is established by means of all or part of the 

15 following parameters or derivatives of these parameters: 

- m pairs of private values Qi, Q 2 , ... Q m and public values 
d, G 2 , ... G m (m being greater than or equal to 1), 

- a public modulus n constituted by the product of f 
prime factors pi, p 2 , ... Pf (f being greater than or equal to 2). 

20 Said modulus and said private and public values are 

related by relationships of the type: 

Gi . Qi v = 1 . mod n or Gi = Qi V mod n 
where v represents a public exponent of the type 

v = 2 k 

25 where k is a security parameter greater than 1, 

said m public values Gi being the squares g { 2 of m distinct base 
numbers g x g 2 , ... g m inferior to the f prime factors 
Pi, P2, Pf; said f prime factors pi, p 2 ,...pt and/or said m 
base numbers gi g 2 , ... g m being produced in such a way that 
30 the following conditions are satisfied. 
First condition : 

According to the first condition, each of the equations 

x v = gi 2 mod n (1) 
has solutions in x in the ring of integers modulo n. 
35 Second condition : 
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According to the second condition, in the case where 
Gj s Qi V mod n, among the m numbers q t obtained by raising 
Qi to the square modulo n, k-1 rank times, one of them is 
different from ±g* (that is to say non-trivial). 
5 According to the second condition, in the case where 

Gj . Qi v s l.modn, among the m numbers qi obtained by 
raising the inverse of Qi modulo n to the square modulo n, k-1 
rank times, one of them is different from ±g { (that is to say 
non-trivial). 

10 It is to be noted here that according to current notation 

±gi represents the number gj and n-gj. 
Third condition : 

According to the third condition, among the 2 m 
equations: 

15 x 2 = gi mod n (2) 

x 2 = -gi mod n (3) 
at least one of them has solutions in x in the ring of 
integers modulo n. 

The method implements an entity called a witness in the 
20 steps defined here below. Said witness entity has f prime 
factors pi and/or m base numbers gi and/or parameters of the 
Chinese remainders of the prime factors and/or the public 
modulus n and/or the m private values Qi and/or the f.m 
components Qij(Qij = Qi mod pj) of the private values Qi and of 
25 the public exponent v. 

The witness computes commitments R in the ring of 
integers modulo n. Each commitment is computed either by: 

- performing operations of the type 

R = r v mod n 

30 Where r is a random value such that 0<r<n, 

- o r 

** by performing operations of the type 

Ri = ri v mod pi 



it 




5 



where r { is a random value associated with the prime 
number p, such that 0 < r; < p i? each r\ belonging to a 
collection of random values {r { , r 2 , ... r f }, 

** then by applying the Chinese remainder method. 
5 The witness receives one or more challenges d. Each 

challenge d comprises m integers dj hereinafter called 
elementary challenges. The witness, on the basis of each 
challenge dj computes a response D, 

- either by performing operations of the type: 
10 D = r . Q! dI . Q 2 d2 . ... Q m dm mod n 

- o r 

** by performing operations of the type: 

Di ^ n . Q u dl , Q i2 d2 . ... Qi, m dm mod Pi 
** then by applying the Chinese remainder method. 
15 The method is such that there are as many responses D 

as there are challenges d as there are commitments R. Each 
group of numbers R, d, D forms a triplet referenced {R, d, D}. 
Case of the proof of the authenticity of an entity 

In a first variant of an embodiment, the method 
20 according to the invention is designed to prove the 
authenticity of an entity known as a demonstrator to an entity 
known as the controller. Said demonstrator entity comprises 
the witness. Said demonstrator and controller entities execute 
the following steps: 
25 • Step 1: act of commitment R 

At each call, the witness computes each commitment R 
by applying the process specified above. The demonstrator 
sends the controller all or part of each commitment R. 

• Step 2: act of challenge d 

30 The controller, after having received all or part of each 

commitment R, produces challenges d equal in number to the 
number of commitments R and sends the challenges d to the 
demonstrator. 

• Step 3: act of response D 
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The witness computes the responses D from the 
challenges d by applying the process specified above. 
• Step 4: act of checking 

The demonstrator sends each response D to the 
5 controller. 

First case : the demonstrator has transmitted a part o f 
each commitment R. 

If the demonstrator has transmitted a part of each 
commitment R, the controller, having the m public values Gi, 
10 G 2 , . G m , computes a reconstructed commitment R\ from 
each challenge d and each response D, this reconstructed 
commitment R' satisfying a relationship of the type 

R' ^ Gi dl . G 2 d2 . ... G m dm . D v mod n 
or a relationship of the type 
15 R' = D7G! dl . G 2 d2 . ... G m dm . mod n. 

The controller ascertains that each reconstructed 
commitment R' reproduces all or part of each commitment R 
that has been transmitted to it. 

Second case : the demonstrator has transmitted the 
20 totality of each commitment R 

If the demonstrator has transmitted the totality of each 
commitment R, the controller, having the m public values Gi, 
G 2 , G m , ascertains that each commitment R satisfies a 
relationship of the type 
25 R ^ d dI . G 2 d2 . ... G m dm . D v mod n 

or a relationship of the type 

R = D7G! dl . G 2 d2 . ... G m dm . mod n. 
Case of the proof of the integrity of the message 

In a second variant of an embodiment capable of being 
30 combined with the first one, the method according to the 
invention is designed to provide proof to an entity, known as 
the controller entity, of the integrity of a message M 
associated with an entity called a demonstrator entity. Said 
demonstrator entity comprises the witness. 
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Said demonstrator and controller entities perform the 
following steps: 

• Step 1: act of commitment R 

At each call, the witness computes each commitment R 
5 by applying the process specified above. 

• Step 2: act of challenge d 

The demonstrator applies a hashing function h whose 
arguments are the message M and all or part of each 
commitment R to compute at least one token T. The 
10 demonstrator sends the token T to the controller. The 
controller, after having received a token T, produces 
challenges d equal in number to the number of commitments R 
and sends the challenges d to the demonstrator. 

• Step 3: act of response D 

15 The witness computes the responses D from the 

challenges d by applying the process specified above. 

• Step 4: act of checking 

The demonstrator sends each response D to the 
controller. The controller, having the m public values Gi, G 2 , 
20 G m , computes a reconstructed commitment R\ from each 
challenge d and each response D, this reconstructed 
commitment R' satisfying a relationship of the type: 
R' ^ G! dl . G 2 d2 . ... G m dm . D v mod n 
or a relationship of the type 
25 R' = D7Gi dl . G 2 d2 . ... G m dm . mod n. 

Then the controller applies the hashing function h whose 
arguments are the message M and all or part of each 
reconstructed commitment R' to reconstruct the token T\ 
Then the controller ascertains that the token T is identical to 
30 the token T transmitted. 

Digital signature of a message and proof of its 
authenticity 

In a third variant of an embodiment according to the 
invention, capable of being combined with the two preceding 
35 embodiments, the method according to the invention is 
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designed to produce the digital signature of a message M by an 
entity known as the signing entity. Said signing entity includes 
the witness. 
Signing operation 
5 Said signing entity executes a signing operation in order 

to obtain a signed message comprising: 

- the message M, 

- the challenges d and/or the commitments R, 

- the responses D. 

10 Said signing entity executes the signing operation by 

implementing the following steps: 

• Step 1: act of commitment R 

At each call, the witness computes each commitment R 
by applying the process specified above. 
15 • Step 2: act of challenge d 

The signing entity applies a hashing function h whose 
arguments are the message M and each commitment R to 
obtain a binary train. From this binary train, the signing entity 
extracts challenges d in a number equal to the number of 
20 commitments R. 

• Step 3: act of response D 

The witness computes the responses D from the 
challenges d by applying the process specified process above. 
Checking operation 
25 To prove the authenticity of the message M, an entity 

called a controller checks the signed message. Said controller 
entity having the signed message carries out a checking 
operation by proceeding as follows, 

• Case where the controller has commitments R, 
30 challenges d, responses D 

If the controller has commitments R, challenges d, 
responses D, the controller ascertains that the commitments R, 
the challenges d and the responses D satisfy relationships of 
the type: 

35 R ^ G, dl . G 2 d2 . ... G m dm . D v mod n 
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or relationships of the type: 

R = D7G! dl . G 2 d2 . ... G m dm . mod n. 
Then the controller ascertains that the message M, the 
challenges d and the commitments R satisfy the hashing 
5 function: 

d = h (message, R) 

• Case where the controller has challenges d and 
responses D 

If the controller has challenges d and responses D, the 
10 controller, on the basis of each challenge d and each response 
D, reconstructs commitments R' satisfying relationships of the 
type: 

R' » G! dl . G 2 d2 . ... G m dm . D v mod n 
or relationships of the type: 
15 R' = D7Gi dI . G 2 d2 . ... G m dm . mod n. 

Then the controller ascertains that the message M and 
the challenges d satisfy the hashing function: 

D = h (message, R') 

• Case where the controller has commitments R 
20 and responses D 

If the controller has commitments R and responses D ? 
the controller applies the hashing function and reconstructs d' 

d 1 = h (message, R). 
Then the controller ascertains that the commitments R, 
25 the challenges d' and the responses D satisfy relationships of 
the type: 

R = G! dM . G/ 2 . ... G m d ' m . D v mod n 

or relationships of the type: 

R D7Gi dM . G/ 2 . ... G m d ' m . mod n. 

30 System 

The present invention also relates to a system designed 
to prove the following to a controller server: 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity. 




This proof is established by means of all or part of the 
following parameters or derivatives of these parameters: 

- m pairs of private values Qi, Q 2 , ... Q m and public values 
Gi, G 2 , ... G m (m being greater than or equal to 1), 
5 - a public modulus n constituted by the product of f 

prime factors p i5 p 2 , ... Pf (f being greater than or equal to 2). 

Said modulus, and said private and public values are 
linked by relationships of the type: 

Gi . Qi v = 1 . mod n or Gj = Q { v mod n 
10 v designating a public exponent of the type: 

v = 2 k 

where k is a security parameter greater than 1, 

said m public values Gi being the squares gi 2 of distinct m 
base numbers gi, g 2 , ... g m inferior to the f prime factors p u p 2 , 
15 ... p f ; said f prime factors pi, p 2 , ... pf and /or said m base 
numbers gi, g 2 ... g m being produced such that the following 
conditions are satisfied. 
First condition 

According to the first condition, each of the equations: 
20 x v ^ gi 2 . mod n (1) 

can be solved in x in the ring of integers modulo n. 
Second condition 

According to the second condition, in the case where 
Gi = Qj V . mod n, among the m numbers qi obtained by raising 
25 Qi to the square modulo n, k-1 rank times, one of them is 
different from ± gi (that is to say non trivial). 

According to the second condition, in the case where 
Gj . Qi V = 1 mod n, among the m numbers q* obtained by 
raising the inverse of Qi modulo n to the square modulo n, k-1 
30 rank times, one of them is different from ± gi (that is to say 
non trivial). 

It is pointed out here that according to a current 
notation ± gi represents the numbers gi and n-gj. 
Third condition: 




According to the third condition, among the 2 m 
equations: 

x 2 = gi mod n (2) 
x 2 = gi mod n (3) 
5 at least one of them can be solved in x in the ring of 

integers modulo n. 

Said system comprises a witness device, contained 
especially in a nomad object which, for example, takes the 
form of a microprocessor-based bank card. The witness device 
10 comprises a memory zone containing the f prime factors pi 
and/or the parameters of the Chinese remainders of the prime 
factors and/or the public modulus n and/or the m private 
values Qi and/or f.m components QyCQij = Qjmod pj) of the 
private values Qi and of the public exponent v. The witness 
15 device also comprises: 

- random value production means hereinafter called 
random value production means of the witness device, 

- computation means, hereinafter called means for the 
computation of commitments R of the witness device. 

20 The means of computation make it possible to compute 

commitments R in the ring of integers modulo n. Each 
commitment is computed 

• either by performing operations of the type 

R = r v mod n 

25 where r is a random value produced by the random 

factor production means, r being such that 0 < r < n. 

• or by performing operations of the type 

R i s rj v mod pi 
where r s is a random value associated with the prime 
30 number pi such that 0 < r, < p i? each r { belonging to a 
collection of random values {r u r 2 , ... r f }, produced by the 
random factor production means and then by applying the 
Chinese remainder method. 

The witness device also comprises: 
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- reception means hereinafter called the means for the 
reception of the challenges d of the witness device, to receive 
one or more challenges d; each challenge d comprising m 
integers dj hereinafter called elementary challenges. 
5 - computation means, hereinafter called means for the 

computation of the responses D of the witness device, for the 
computation on the basis of each challenge d, of a response D: 
• either by carrying out operations of the type: 
D.s r . Qi dl . Q 2 d2 ■ ... Qm dm mod n 
10 • or by carrying out operations of the type: 

Di^ n . Q u dl . Qi, 2 d2 • ... Qi, m dm mod Pi 
and then by applying the Chinese remainder method. 
The witness device also comprises transmission means to 
transmit one or more commitments R and one or more 
15 responses D. There are as many responses D as there are 
challenges d as there are commitments R. Each group of 
numbers R, d, D forming a triplet referenced {R, d, D}. 
Case of the proof of the authenticity of an entity 

In a first variant of embodiment, the system according to 
20 the invention is designed to prove the authenticity of an entity 
called a demonstrator to an entity called a controller. 

Said system is such that it comprises a demonstrator 
device associated with a demonstrator entity. Said 
demonstrator device is interconnected with the witness device 
25 by interconnection means. It may especially take the form of 
logic microcircuits in a nomad object, for example the form of 
a microprocessor in a microprocessor-based bank card. 

Said system also comprises a controller device associated 
with the controller entity. Said controller device especially 
30 takes the form of a terminal or remote server. Said controller 
device comprises connection means for its electrical, 
electromagnetic, optical or acoustic connection, especially 
through a computer communications network, to the 
demonstrator device. 
35 Said system is used to execute the following steps: 




• Step 1: act of commitment R 

At each call, the means of computation of the 
commitments R of the witness device compute each 
commitment R by applying the process specified above. The 
5 witness device comprises means of transmission, hereinafter 
called the transmission means of the witness device, to 
transmit all or part of each commitment R to the demonstrator 
device through the interconnection means. The demonstrator 
device also comprises transmission means, hereinafter called 
10 the transmission means of the demonstrator, to transmit all or 
part of each commitment R to the controller device through 
the connection means. 

• Step 2: act of challenge d 

The controller device comprises challenge production 
15 means for the production, after receiving all or part of each 
commitment R, of the challenges d equal in number to the 
number of commitments R. The controller device also 
comprises transmission means, hereinafter called the 
transmission means of the controller, to transmit the 
20 challenges d to the demonstrator through the connection 
means. 

• Step 3: act of response D 

The means of reception of the challenges d of the witness 
device receive each challenge d coming from the demonstrator 
25 device through the interconnection means. The means of 
computation of the responses D of the witness device compute 
the responses D from the challenges d by applying the process 
specified above. 

• Step 4: act of checking 

30 The transmission means of the demonstrator transmit 

each response D to the controller. The controller device also 
comprises: 

- computation means, hereinafter called the computation 
means of the controller device, 
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- comparison means, hereinafter called the comparison 
means of the controller device. 

First case : the demonstrator has transmitted a part o f 
each commitment R. 

5 If the transmission means of the demonstrator have 

transmitted a part of each commitment R, the computation 
means of the controller device, having m public values 
d, G 2 , ... Gm, compute a reconstructed commitment R\ 
from each challenge d and each response D, this reconstructed 
10 commitment R* satisfying a relationship of the type: 

R' ^ G! dl . G 2 d2 . ... G m dm . D v mod n 
or a relationship of the type: 

R' ^ D v /G! dl . G 2 d2 . ... G m dm mod n. 
The comparison means of the controller device compare 
15 each reconstructed commitment R' with all or part of each 
commitment R received. 

Second case : the demonstrator has transmitted the 
totality of each commitment R 

If the transmission means of the demonstrator have 
20 transmitted the totality of each commitment R, the 
computation means and the comparison means of the 
controller device, having m public values Gi, G 2 , . G m , 
ascertain that each commitment R satisfies a relationship of 
the type: 

25 R = G! di . G 2 d2 . ... G m dm . D v mod n 

or a relationship of the type: 

R ^ D7G/ 1 . G 2 d2 . ... G m dm mod n. 
Case of the proof of the integrity of a message 

In a second variant embodiment capable of being 
30 combined with the first one, the system according to the 
invention is designed to give proof to an entity, known as a 
controller of the integrity of a message M associated with an 
entity known as a demonstrator. Said system is such that it 
comprises a demonstrator device associated with the 
35 demonstrator entity. Said demonstrator device is 
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interconnected with the witness device by interconnection 
means. It may especially take the form of logic microcircuits in 
a nomad object, for example in the form of a microprocessor 
in a microprocessor-based bank card. Said system also 
5 comprises a controller device associated with the controller 
entity. Said controller device especially takes the form of a 
terminal or remote server. Said controller device comprises 
connection means for its electrical, electromagnetic, optical or 
acoustic connection, especially through a data-processing 
10 communications network, to the demonstrator device.. 

Said system is used to execute the following steps: 

• Step 1: act of commitment R 

At each call, the means of computation of the 
commitments R of the witness device compute each 

15 commitment R by applying the process specified above. The 
witness device has means of transmission, hereinafter called 
transmission means of the witness device, to transmit all or 
part of each commitment R to the demonstrator device 
through the interconnection means. 

20 • Step 2: act of challenge d 

The demonstrator device comprises computation means, 
hereinafter called the computation means of the 
demonstrator, applying a hashing function h whose arguments 
are the message M and all or part of each commitment R to 

25 compute at least one token T. The demonstrator device also 
comprises transmission means, hereinafter known as the 
transmission means of the demonstrator device, to transmit 
each token T through the connection means to the controller 
device. The controller device also has challenge production 

30 means for the production, after having received the token T, 
of the challenges d in a number equal to the number of 
commitments R. The controller device also has transmission 
means, hereinafter called the transmission means of the 
controller, to transmit the challenges d to the demonstrator 

35 through the connection means. 




• Step 3: act of response D 

The means of reception of the challenges d of the witness 
device receive each challenge d coming from the demonstrator 
device through the interconnection means. The means of 
5 computation of the responses D of the witness device compute 
the responses D from the challenges d by applying the process 
specified above. 

• Step 4: act of checking 

The transmission means of the demonstrator transmit 
10 each response D to the controller. The controller device also 
comprises computation means, hereinafter called the 
computation means of the controller device, having m public 
values Gi, G 2 , G m , to firstly compute a reconstructed 
commitment R\ from each challenge d and each response D, 
15 this reconstructed commitment R' satisfying a relationship of 
the type: 

R' = Gi dl . G 2 d2 . ... G m dm . D v mod n 
or a relationship of the type: 

R' ^ D7Gi dl . G 2 d2 . ... G m dm mod n 
20 and then, secondly, to compute a token T* by applying 

the hashing function h having as arguments the message M and 
all or part of each reconstructed commitment R\ 

The controller device also has comparison means, 
hereinafter known as the comparison means of the controller 
25 device, to compare the computed token T* with the received 
token T. 

Digital signature of a message and proof of its 
authenticity 

In a third variant of an embodiment according to the 
30 invention, capable of being combined with one and/or the 
other of the first two embodiments, the system according to 
the invention is designed to prove the digital signature of a 
message M, hereinafter known as a signed message, by an 
entity called a signing entity. 
3 5 The signed message comprises: 
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- the message M, 

- the challenges d and/or the commitments R, 

the responses D. 
Signing operation 
5 Said system is such that it comprises a signing device 

associated with the signing entity. Said signing device is 
interconnected with the witness device by interconnection 
means and may especially take the form of logic microcircuits 
in a nomad object, for example in the form of a 
10 microprocessor in a microprocessor-based bank card. 

Said system is used to execute the following steps: 

• Step 1: act of commitment R 

At each call, the means of computation of the 
commitments R of the witness device compute each 

15 commitment R by applying the process specified above. The 
witness device comprises means of transmission, hereinafter 
called the transmission means of the witness device, to 
transmit all or part of each commitment R to the signing 
device through the interconnection means. 

20 • Step 2: act of challenge d 

The signing device comprises computation means, 
hereinafter called the computation means of the signing 
device, applying a hashing function h whose arguments are the 
message M and all or part of each commitment R to compute a 

25 binary train and extract, from this binary train, challenges d 
whose number is equal to the number of commitments R. 

• Step 3: act of response D 

The means for the reception of the challenges d of the 
witness device receive each challenge d coming from the 
30 signing device through the interconnection means. The means 
for computing the responses D of the witness device compute 
the responses D from the challenges d by applying the process 
specified above. The witness device comprises transmission 
means, hereinafter called means of transmission of the witness 
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device, to transmit the responses D to the signing device, 
through the interconnection means. 
Checking operation : 

To prove the authenticity of the message M, an entity 
5 known as the controller checks the signed message. 

Said system comprises a controller device associated 
with the controller entity. Said controller device especially 
takes the form of a terminal or remote server. Said controller 
device comprises connection means for its electrical, 
10 electromagnetic, optical or acoustic connection, especially 
through a computer communications network, to the signing 
device. 

Said signing device associated with the signing entity 
comprises transmission means, hereinafter known as the 
15 transmission means of the signing device, for the transmission, 
to the controller device, of the signed message through the 
connection means. Thus the controller device has a signed 
message comprising: 

- the message M, 

20 - the challenges d and/or the commitments R, 

- the responses D. 

The controller device comprises: 

- computation means hereinafter called the computation 
means of the controller device, 

25 - comparison means, hereinafter called the comparison 

means of the controller device. 

Case where the controller device has 
commitments R, challenges d, responses D 

If the controller device has commitments R, challenges d, 
30 responses D, the computation and comparison means of the 
controller device ascertain that the commitments R, the 
challenges d and the responses D satisfy relationships of the 
type 

R ^ G! dl . G 2 d2 . ... G m dm . D v mod n 
35 or relationships of the type: 




R = D v /Gi dI . G 2 d2 . ... G m dm mod n. 
Then, the computation and comparison means of the 
controller device ascertain that the message M, the challenges 
d and the commitments R satisfy the hashing function: 
5 d = h(message, R) 

• Case where the controller device has challenges 
d and responses D 

If the controller has challenges d and responses D, the 
computation means of the controller reconstruct, on the basis 
10 of each challenge d and each response D, commitments R' 
satisfying relationships of the type 

R' ^ G, dl . G 2 d2 . ... G m dm . D v mod n 
or relationships of the type: 

R' ^ D7G! dI . G 2 d2 . ... G m dm mod n. 
15 Then the computation and comparison means of the 

controller device ascertain that the message M and the 
challenges d satisfy the hashing function: 

d = h (message, R') 

• Case where the controller has commitments R 
20 and responses D 

If the controller device has commitments R and 
responses D, the computation means of the controller device 
apply the hashing function and compute d f such that: 

cT = h (message, R) 
25 Then the computation and comparison means of the 

controller device ascertain that the commitments R, the 
challenges d' and the responses D satisfy relationships of the 
type: 

R ^ Gi d l . G/ 2 . ... G m d ' m . D v mod n 
30 or relationships of the type: 

R ^ DVG/ 1 . G/ 2 . ... G m d m mod n. 

Terminal Device 

The invention also relates to a terminal device associated 
with an entity. The terminal device especially takes the form of 
3 5 a nomad object, for example the form of a microprocessor in a 
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microprocessor-based bank card, The terminal device is 
designed to prove the following to a controller device: 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity. 
5 This proof is established by means of all or part of the 

following parameters or derivatives of these parameters: 

- m pairs of private values Qi, Q 2 , ... Q m and public values 
Gi, G 2 , ... G m (m being greater than or equal to 1), 

- a public module n constituted by the product of f prime 
10 factors p u p 2 , ... pf (f being greater than or equal to 2). 

Said module and said private and public values are 
related by relationships of the type 

Gi • Qj v s 1 mod n or Gi = Qi V mod n 
v designating a public exponent of the type 
15 v = 2 k 

where k is a security parameter greater than 1. 

Said m public values Gj are the squares gj 2 of m distinct 
base numbers gi,g 2 , ... gm inferior to the f prime factors p lf p 2 , 
... p f ; said f prime factors pi, p 2 , ... p f and/or said m base 
20 numbers gi,g 2 , ... g m being produced such that the following 
conditions are satisfied. 
First condition 

According to the first condition, each of the equations: 

x v = gi 2 mod n (1) 
25 can be solved in x in the ring of integers modulo n. 

Second condition 

According to the second condition, in the case where 
Gi = Qi V mod n, among the m numbers q* obtained by raising 
Qi to the square modulo n, k-1 times, one of them is different 
30 from ±gi (that is to say non trivial). 

According to the second condition, in the case where 
Gi . Qi V = 1 mod n, among the m numbers q* obtained by 
raising the inverse of Qi modulo n to the square modulo n, k-1 
times, one of them is different from ±gj (that is to say non 
35 trivial). 




It is pointed out here that according to a current 
notation ±gi represents the numbers gi and n-gi. 
Third condition: 

According to the third condition, among the 2 m 
5 equations: 

x 2 = gi mod n (2) 
x 2 = gi mod n (3) 
at least one of them can be solved in x in the ring of 
integers modulo n. 
10 Said terminal device comprises a witness device 

comprising a memory zone containing the f prime factors pi 
and/or the parameters of the Chinese remainders of the prime 
factors and/or the public modulus n and/or the m private 
values Qi and/or f.m components Qy (Qy = Qjmod pj) of the 
15 private values Qi and of the public exponent v. 
The witness device also comprises: 

- random value production means hereinafter called 
random value production means of the witness device, 

- computation means, hereinafter called means for the 
20 computation of commitments R of the witness device in the 

ring of the integers modulo n. 

Each commitment is computed 

• either by performing operations of the type: 

R = r v mod n 

25 where r is a random value produced by the random value 

production means, r being such that 0<r<n. 

• or by performing operations of the type: 

Ri = rj v mod p 4 

where r\ is a random value associated with the prime 
30 number pi such that 0<ri<pi, each ri belonging to a collection 
of random values {r l9 r 2 , ... r f } produced by the random value 
production means, then by applying the Chinese remainder 
method. 

The witness device also comprises: 




- reception means hereinafter called the means for the 
reception of the challenges d of the witness device, to receive 
one or more challenges d, each challenge d comprising m 
integers di hereinafter called elementary challenges; 
5 - computation means, hereinafter called means for the 

computation of the responses D of the witness device, for the 
computation, on the basis of each challenge d, of a response 
D, 

• either by performing operations of the type: 
10 D ^ r . Q/ 1 . Q 2 d2 . ... Q m dm mod n 

• or by performing operations of the type: 

D = T[ . Q u dl . Qi, 2 d2 . ... Qi, m dm mod Pi 
and then by applying the Chinese remainder method. 
Said witness device also comprises transmission means 
15 to transmit one or more commitments R and one or more 
responses D. There are as many responses D as there are 
challenges d as there are commitments R. Each group of 
numbers R, d, D forms a triplet referenced {R, d, D}. 
Case of the proof of the authenticity of an entity 
20 In a first embodiment variant, the terminal device 

according to the invention is designed to prove the 
authenticity of an entity called a demonstrator to an entity 
called a controller. 

Said terminal device is such that it comprises a 
25 demonstrator device associated with a demonstrator entity. 
Said demonstrator device is interconnected with the witness 
device by interconnection means. It may especially take the 
form of logic microcircuits in a nomad object, for example the 
form of a microprocessor in a microprocessor-based bank 
30 card. 

Said demonstrator device also comprises connection 
means for its electrical, electromagnetic, optical or acoustic 
connection, especially through a data-processing 
communications network, to the controller device associated 




with the controller entity. Said controller device especially 
takes the form of a terminal or remote server. 

Said terminal device is used to execute the following 

steps: 

5 • Step 1: act of commitment R 

At each call, the means of computation of the 
commitments R of the witness device compute each 
commitment R by applying the process specified above. 

The witness device has means of transmission, 

10 hereinafter called transmission means of the witness device, to 
transmit all or part of each commitment R to the demonstrator 
device through the interconnection means. The demonstrator 
device also has transmission means, hereinafter called the 
transmission means of the demonstrator, to transmit all or 

15 part of each commitment R to the controller device, through 
the connection means 

• Steps 2 and 3: act of challenge d, act o f 
response D 

The means of reception of the challenges d of the witness 
20 device receive each challenge d coming from the controller 
device through the connection means between the controller 
device and the demonstrator device and through the 
interconnection means between the demonstrator device and 
the witness device. The means of computation of the responses 
25 D of the witness device compute the responses D from the 
challenges d by applying the process specified above. 

• Step 4: act of checking 

The transmission means of the demonstrator transmit 
each response D to the controller device that carries out the 
30 check. 

Case of the proof of the integrity of a message 

In a second embodiment variant capable of being 
combined with the first embodiment, the terminal device 
according to the invention is designed to give proof to an 
35 entity, known as a controller, of the integrity of a message M 
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associated with an entity known as a demonstrator. Said 
terminal device is such that it comprises a demonstrator 
device associated with the demonstrator entity, said 
demonstrator device being interconnected with the witness 
5 device by interconnection means. It may especially take the 
form of logic microcircuits in a nomad object, for example the 
form of a microprocessor in a microprocessor-based bank 
card. Said demonstrator device comprises connection means 
for its electrical, electromagnetic, optical or acoustic 
10 connection, especially through a data-processing 
communications network, to the controller device associated 
with the controller entity. Said controller device especially 
takes the form of a terminal or remote server. 

Said terminal device is used to execute the following 

15 steps: 

• Step 1: act of commitment R 

At each call, the means of computation of the 
commitments R of the witness device compute each 
commitment R by applying the process specified above. The 
20 witness device has means of transmission, hereinafter called 
the transmission means of the witness device, to transmit all 
or part of each commitment R to the demonstrator device 
through the interconnection means. 

• Steps 2 and 3: act of challenge d, act o f 
25 response D 

The demonstrator device comprises computation means, 
hereinafter called the computation means of the 
demonstrator, applying a hashing function h whose arguments 
are the message M and all or part of each commitment R, to 
30 compute at least one token T. The demonstrator device also 
has transmission means, hereinafter known as the 
transmission means of the demonstrator device, to transmit 
each token T, through the connection means, to the controller 
device. 
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Said controller device, after having received the token T, 
produces challenges d in a number equal to the number of 
commitments R 

The means of reception of the challenges d of the witness 
5 device receive each challenge d coming from the controller 
device through the interconnection means between the 
controller device and the demonstrator device and through the 
interconnection means between the demonstrator device and 
the witness device. The means of computation of the responses 
10 D of the witness device compute the responses D from the 
challenges d by applying the process specified above. 

• Step 4: act of checking 

The transmission means of the demonstrator send each 
response D to the controller device which performs the check. 
15 Digital signature of a message and proof of its 
authenticity 

In a third embodiment variant, capable of being 
combined with either one of the first two, the terminal device 
according to the invention is designed to produce the digital 
20 signature of a message M, hereinafter known as the signed 
message, by an entity called a signing entity. 

The signed message comprises: 

- the message M, 

- the challenges d and/or the commitments R, 
25 - the responses D. 

Said terminal device is such that it comprises a signing 
device associated with the signing entity. Said signing device is 
interconnected with the witness device by interconnection 
means. It may especially take the form of logic microcircuits in 

30 a nomad object, fox example the form of a microprocessor in 
a microprocessor-based bank card. Said signing device 
comprises connection means for its electrical, 
electromagnetic, optical or acoustic connection, especially 
through a data-processing communications network, to the 

35 controller device associated with the controller entity. Said 




controller device especially takes the form of a terminal or 
remote server. 
Signing operation : 

Said terminal device is used to execute the following 

5 steps: 

• Step 1: act of commitment R 

At each call, the means of computation of the 
commitments R of the witness device compute each 
commitment R by applying the process specified above. The 
10 witness device comprises means of transmission, hereinafter 
called the transmission means of the witness device, to 
transmit all or part of each commitment R to the signing 
device through the interconnection means. 

• Step 2: act of challenge d 

15 The signing device comprises computation means, 

hereinafter called the computation means of the signing 
device, applying a hashing function h whose arguments are the 
message M and all or part of each commitment R, to compute 
a binary train and extract, from this binary train, challenges d 

20 whose number is equal to the number of commitments R. 

• Step 3: act of response D 

The means for the reception of the challenges d receive 
each challenge d coming from the signing device through the 
interconnection means. The means for computing the 

25 responses D of the witness device compute the responses D 
from the challenges d by applying the process specified above. 
The witness device comprises transmission means, hereinafter 
called means of transmission of the witness device, to transmit 
the responses D to the signing device, through the 

30 interconnection means. 
Controller device 

The invention also relates to a controller device. The 
controller device may especially take the form of a terminal or 
remote server associated with a controller entity. The 

35 controller device is designed to check : 
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- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity. 
This proof is established by means of all or part of the 

following parameters or derivatives of these parameters: 
5 - m pairs of public values Gi, G 2 , ... G m (m being greater 

than or equal to 1), 

- a public modulus n constituted by the product of f 
prime factors p u p 2 , ... Pf (f being greater than or equal to 2), 
unknown to the controller device and the associated controller 

10 entity. 

Said modulus and said private and public values are 
related by relationships of the type 

d . Qi v = 1 . mod n or Gi= Qi V mod n 
v designating a public exponent of the type: 
15 ~ ~ " v = 2 k 

where k is a security parameter greater than 1. 
Said m public values Gj being the squares gj 2 of m distinct 
base numbers gi,g 2 , gm inferior to the f prime factors pi, p 2 , 
... p f ; said f prime factors p u p 2 , ... p f and/or said m base 
20 numbers gi,g 2 , ... g m being produced such that the following 
conditions are satisfied. 
First condition 

According to the first condition, each of the equations: 

x v = gi 2 mod n (1) 
25 can be solved in x in the ring of integers modulo n. 

Second condition 

According to the second condition, in the case where 
Gi= Qi v . mod n, among the m numbers q* obtained by raising 
Qi to the square modulo n, k-1 rank times, one of them is 
30 different from ±gi (that is to say non trivial). 

According to the second condition, in the case where 
Gi. Qi v = 1 mod n, among the m numbers q { obtained by 
raising the inverse of Qi modulo n to the square modulo n, k-1 
rank times, one of them is different from ±gj (that is to say 
35 non trivial). 
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It is pointed out here that according to a current 
notation ±gi represents the numbers gj and n-gj. 
Third condition 

According to the third condition, among the 2 m 
5 equations: 

x 2 = gj mod n (2) 
x 2 = gj mod n (3) 
at least one of them can be solved in x in the ring of 
integers modulo n. 
10 Case of the proof of the authenticity of an entity 

In a first embodiment variant, the controller device 
according to the invention is designed to prove the 
authenticity of an entity called a demonstrator and an entity 
called a controller. 
15 Said controller device comprises connection means for 

its electrical, electromagnetic, optical or acoustic connection, 
especially through a data-processing communications network, 
to a demonstrator device associated with the demonstrator 
entity. 

20 Said controller device is used to execute the following 

steps: 

• Steps 1 and 2: act of commitment R, act o f 
challenge d 

Said controller device also has means for the reception 
25 of all or part of the commitments R coming from the 
demonstrator device through the connection means. 

The controller device comprises challenge production 
means for the production, after receiving all or part of each 
commitment R, of the challenges d in a number equal to the 
30 number of commitments R, each challenge d comprising m 
integers d, hereinafter called elementary challenges. 

The controller device also comprises transmission 
means, hereinafter called transmission means of the 
controller, to transmit the challenges d to the demonstrator 
3 5 through the connection means. 




• Steps 3 and 4: act of response D, act o f 
checking 

The controller device also comprises: 

- means for the reception of the responses D coming 
5 from the demonstrator device, through the connection means, 

- computation means, hereinafter called the computation 
means of the controller device, 

- comparison means, hereinafter called the comparison 
means of the controller device. 

10 • First case: the demonstrator has transmitted a 

part of each commitment R. 

If the reception means of the controller device have 
received a part of each commitment R, the computation means 
of the controller device, having m public values Gi, G 2 , ... G m , 
15 compute a reconstructed commitment R', from each challenge 
d and each response D, this reconstructed commitment R' 
satisfying a relationship of the type: 

R* » G x dl . G 2 d2 ....G m dm . D v mod n 

or a relationship of the type: 
20 R' ^ DVG^ 1 . G 2 d2 . ... G m dm mod n. 

The comparison means of the controller device compare 
each reconstructed commitment R' with all or part of each 
commitment R received. 

• Second case: the demonstrator has transmitted 
25 the totality of each commitment R 

If the reception means of the controller device have 
received the totality of each commitment R, the computation 
means and the comparison means of the controller device, 
having m public values G u G 2 , ... G m , ascertain that each 
30 commitment R satisfies a relationship of the type: 

R < ^ Gl dl . G 2 d2 ....G m dm . D v mod n 
or a relationship of the type: 

R' ^ D7G! dl . G 2 d2 . ... G m dm mod n. 




Case of the proof of the integrity of a message 

In a second embodiment variant capable of being 
combined with the first, the controller device according to the 
invention is designed to prove the integrity of a message M 
5 associated with an entity known as a demonstrator. 

Said controller device comprises connection means for 
its electrical, electromagnetic, optical or acoustic connection, 
especially through a data-processing communications network, 
to a demonstrator device associated with the demonstrator 
10 entity. 

Said controller device is used to execute the following 

steps: 

• Steps 1 and 2: act of commitment R, act o f 
challenge d 

15 Said controller device has means for the reception of 

tokens T coming from the demonstrator device through the 
connection means. The controller device has challenge 
production means for the production, after having received 
the token T, of challenges d in a number equal to the number 

20 of commitments R, each challenge d comprising m integers d* 
hereinafter called elementary challenges. The controller device 
also has transmission means, hereinafter called the 
transmission means of the controller, to transmit the 
challenges d to the demonstrator through the connection 

25 means. 

• Steps 3 and 4: act of response D, act o f 
checking 

Said controller device also comprises means for the 
reception of the responses D coming from the demonstrator 
30 device, through the connection means. Said controller device 
also comprises computation means, hereinafter called the 
computation means of the controller device, having m public 
values Gi, G 2 , ... G m , to first of all compute a reconstructed 
commitment R\ from each challenge d and each response D, 
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this reconstructed commitment R* satisfying a relationship of 
the type: 

R' ^ G! dl . G 2 d2 ....G m dm . D v mod n 
or a relationship of the type: 
5 R' = D7G! dl . G 2 d2 . ... G m dm mod n 

and then, secondly, to compute a token T 1 by applying a 
hashing function h having as arguments the message M and all 
or part of each reconstructed commitment R\ 

The controller device also has comparison means, 
10 hereinafter called the comparison means of the controller 
device to compare the computed token T with the received 
token T. 

Digital signature of a message and proof of its 
authenticity 

15 In a third embodiment variant, capable of being 

combined with either one or the other of the first two 
embodiments, the controller device according to the invention 
is designed to prove the authenticity of the message M by 
checking a signed message by means of an entity called a 

20 controller. 

The signed message, sent by a signing device associated 
with a signing entity having a hashing function h (message, R) 
comprises: 

- the message M, 

25 - the challenges d and/or the commitments R, 

- the responses D. 
Checking operation 

Said controller device comprises connection means for 
its electrical, electromagnetic, optical or acoustic connection, 
30 especially through a data-processing communications network, 
to a signing device associated with the signing entity. Said 
controller device receives the signed message from the signing 
device, through the connection means. 

The controller device comprises: 




- computation means, hereinafter called the computation 
means of the controller device, 

- comparison means, hereinafter called the comparison 
means of the controller device. 

5 • Case where the controller device has 

commitments R, challenges d, responses D : 

If the controller device has commitments R, challenges d, 
responses D, the computation and comparison means of the 
controller device ascertain that the commitments R, the 
10 challenges d and the responses D satisfy relationships of the 
type 

R = G! dl . G 2 d2 ....G m dm . D v mod n 
or relationships of the type: 

R = D7G! dl . G 2 d2 . ... G m dm mod n. 
15 Then the computation and comparison means of the 

controller device ascertain that the message M, the challenges 
d and the commitments R satisfy the hashing function: 

d = h (message, R) 
• Case where the controller device has challenges 
20 d and responses D : 

If the controller device has challenges d and responses D, 
the computation means of the controller device can, on the 
basis of each challenge d and each response D, compute 
commitments R' satisfying relationships of the type: 
25 R f ^ G/ 1 . G 2 d2 ....G m dm . D v mod n 

or relationships of the type: 

R' ^ D7G! dl . G 2 d2 . ... G m dm mod n 
and then the computation and comparison means of the 
controller device ascertain that the message M and the 
30 challenges d satisfy the hashing function 

d = h(message, R') 
Case where the controller device has 
commitments R and responses D : 




If the controller device has commitments R and 
responses D, the computation means of the controller device 
apply the hashing function and compute d* such that 

d'= h (message, R) 
5 and then the computation and comparison means of the 

controller device ascertain that the commitments R, the 
challenges d' and the responses D satisfy relationships of the 
type 

R ^ G! dM . G/ 2 . ...G m d ' m . D v mod n 
10 or relationships of the type: 

R ^ D7Gi dM . G 2 d ' 2 . ... G m d ' m mod n. 
Description — of — fefre — kweation 

The goals of the GQ methods are the dynamic 
authentication of entities and messages together with the 
15 digital signature of messages. These are methods "without 
transfer of knowledge". An entity proves that it knows one or 
several private numbers. Another entity checks; it knows the 
corresponding public number or numbers. The proving entity 
wants to convince the checking entity without revealing the 
20 private number or numbers, in such a way as to be able to use 
them as many times as needed. 

Each GQ method depends on a public modulus composed 
of secret high prime numbers. A public exponent v and a 
public modulus n together form a verification key <v 9 n> 
25 meaning "raise to the power v modulo n" and implement by 
means of one or several generic equations, all of the same 
type, direct: G = <2 v (modrc) or inverse GxQ v = 1 (mod n) . 
The type has an effect on the operation of the calculations 
within the checking entity, but not within the proving entity; in 
30 fact, the security analyses confound the two types. Each 
generic equation linked to a public number G and a private 
number Q together form a pair of numbers {G,Q}. To resume, 
each GQ method implements one or several pairs of numbers 
{G,Q} for the same key <v,n>. 
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A classic version of the GQ method, here called GQ1, 

uses an RSA digital signature mechanism. The verification key 
<v,n> is then an RSA public key where the odd exponent v is 
preferably a prime number. Each GQ1 method in general uses a 
5 single pair of numbers {G,Q}: the public number G is deduced 
from identification data according to a format mechanism 
which is an integral part of the RSA digital signature 
technology. The private number Q or its inverse modulo n is 
an RSA signature for identification data. The proving entity 
10 shows its knowledge of an RSA signature of its own 
identification data and this proof does not reveal the signature 
which therefore remains secret, to be used as many times as 
needed. 

The GQ1 methods generally implement two levels of 

15 keys: the RSA private signing key is reserved for an authority 
accrediting entities distinguishing themselves one from the 
other by identification data. Such a mechanism is said to be 
"identity based". Thus, an emitter of chip cards uses his RSA 
private key for the emission of each card to calculate a private 

20 number Q which is inscribed as diversified private key in the 
card; or furthermore, a client on a network of computers uses 
his RSA private key when entering each session to calculate a 
private number Q which will be the ephemeral private key of 
the client during the session. The proving entities, chip cards 

25 or clients in session, know an RSA signature of their 
identification data; they do not know the RSA private key 
which, in the key hierarchy, is at the next higher level. 
Nonetheless, dynamic authentication of entities by GQ1 with a 
modulus of 768 bits at the level of an authority requires 

30 almost the same work load as a dynamic authentication of 
entities by RSA with a modulus of 512 bits with three prime 
factors at the level of each entity, which allows the proving 
entity to use the Chinese remainder technique by calculating a 
modulo result for each of the prime factors before calculating 

35 a modulo result for their product. 





However, the hierarchy of keys between an authority and 
the accredited entities is not obligatory. One can use GQ1 with 
a module belonging to the proving entity, which makes it 
possible to use the Chinese remainder technique to reduce the 
5 work loads of the proving entity, which does not change the 
work load of the checking entity fundamentally, apart from 
the fact that a modulus at the level of the proving entity can be 
shorter than a modulus at the level of the authority, for 
example 512 bits in comparison with 768 bits. 

10 When the entity knows the prime factors of its own 

modulus, why call on an RSA digital signature mechanism?? 

Another version of fiQ methods. here called elementary 

GQ2^_ treats directly the problem of factorization of a modulus 
n. In this context, "directly" means "without calling for the RSA 

15 signature". The aim of GQ2 is to reduce work loads, not only 
of the proving entity but also of the checking entity. The 
proving entity demonstrates knowledge of a breakdown of its 
own modulus and this proof does not reveal the breakdown 
which therefore remains secret, so as to be able to be used as 

20 often as needed. The security of the GQ2 protocol is equivalent 
to factorization of the module. 

Each proving entity has its own modulus n. Each GQ2 
mechanism implements a parameter k, a small number greater 
than 1 fixing a public exponent v=2*, and one or several pairs 

25 of numbers {G h Q } } to {G m ,Q„,}. Each public number G; is the 
square of a small number g, greater than 1 and called a "base 
number". All the proving entities can use the same public 
number or numbers Gy to G m . The factorization of the modulus 
n and the private number or numbers Qj to Q m are then at the 

30 same level in the key hierarchy. Each set of elementary — GQ2 
keys is defined by two necessary and sufficient conditions: 

- for each base number, neither of the two equations 
x 2 = ±gi (mod n) does not have a solution in x in the ring of 
integers modulo n, that is to say that the numbers ±g, are two 

35 non-quadratic residues modulo n. 
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- for each base number, the equation jt v =g/ 2 ( mod n) 
where v = 2* has solutions in x in the ring of integers modulo n. 
The private number Qi or its inverse modulo n is any one of 
these solutions. 

5 Taking into account the second condition, in order that 

the numbers ±gj are two non-quadratic residues modulo n, the 
modulus n must comprise at least two prime factors congruent 
to 3 (mod 4) relative to which the Legendre symbol of gi 
differs. Consequently, any modulus composed of prime factors 

10 of which none or a single one is congruent to 3 (mod 4) does 
not allow a set of elementary GQ2 keys to be established, 
which privileges the prime factors congruent to 3 (mod 4). 
Thus, by taking high prime numbers at random, it appears that 
only half are congruent to 3 (mod 4) and half to 1 (mod 4). As 

15 a result, many RSA models in use cannot establish a set of 
elementary GQ2 keys. 

Here we introduce the sets of generalised GQ2 keys to 

overcome this limitation in order to be able to use GQ2 
technology with any modulus whatsoever, and in particular 

20 with any RSA modulus whatsoever: they depend on two 
necessary and sufficient principles. 

The first principle reproduces the second elementary 
GQ2 condition: 

- For each base number gj to g m , the equation 
25 x v = gi 2 (mod n) where v=2 k has solutions in x in the ring of 

integers modulo n. 

Because the private number Q or its inverse modulo n is 
a solution to the equation, successive squares £-1 modulo n 
transform it into a number q t which is a square root of Gi in 

30 the ring of integers modulo n. Depending on whether the 
number q { is equal to one of the two numbers g, or n-g h or 
different from the two numbers g t and n-g h it is said that it is 
trivial or not. When a number q t is non trivial, n which divides 
qf-gt 2 does not divide either qrgi or qi+gh Any non trivial 

3 5 number q thus reveals a breakdown of the modulus n. 




n=pgcd(n f qrgi)xpgcd(n,qi+gi) 
The second principle widens the first elementary GQ2 
condition: 

- among the numbers qi to q m , at least one number qi is 
5 non trivial. 

It is to be noted that if a number q+ exists while the 
numbers ±g t are two non-quadratic residues in the ring of 
integers modulo rc, the number q { is manifestly non trivial. 
Thus, the set of elementary GQ2 keys are certainly part of the 

10 set of generalised GQ2 keys which make it possible to use any 
modulus whatsoever, that is to say any composition of high 
prime numbers indifferently congruent to 3 or to 1 (mod 4) at 
least two of which are distinct. On the other hand, many sets 
of generalised GQ2 keys are not sets of elementary GQ2 keys. 

15 Each set of generalised GQ2 keys is in accordance with one of 
the following cases: 

- when the 2xra numbers ±gj to ±g m are all non-quadratic 

residues, this is a set of elementary GQ2 keys. 

- when among the 2xm numbers ±gl to ±gm, there is at 
20 least one quadratic residue, this is not a set of elementary GQ2 

keys, it is what is known here as a set of complementary GQ2 
keys. 

The present i nvention relates 1Q the S£lS of 

complementary GQ2 keys, by definition these sets of 

25 generalised GQ2 keys not being elementary. Besides the two 
preceding principles, such a set must satisfy a third principle. 

-among the 2xra numbers ±gi to ±g m9 there is at least one 
quadratic residue. 

In order to assess the problem and understand the 
30 solution we provide, that is to say the invention, let us first of 
all analyse the breakdown of the modulus n revealed by a non 
trivial number q, and then recall the Chinese remainder 
technique, and then the notion of rank in a Galois field CG(p); 
and next, study the functions "raise to the square" in CG(p) 
35 and "take a square root" of a quadratic residue in CG(p); and 




finally, analyse the applicability of the three principles stated 
above. 

Analysis of the breakdowns of the module : 

Just as the modulus n is broken down into / prime 
5 factors pi to /?/, the ring of integers modulo n is broken down 
into / Galois fields CG(/? 7 ) to CG(py). In each field, there are 
two unit square roots, that is ±L In the ring, there are thus 2 f 
unit square roots. Each private number Qj to Q m defines a 
number Ai-q/gi (mod n) which is one of these 2 f unit square 
10 roots in the ring; in other words, n divides A?-l. 

• when q t is trivial, that is to say 4,-=±l, n divides A r l, or 
Ai+1 and therefore A x does not reveal the breakdown of the 
modulus n. 

• when qi is non trivial, that is to say A X A±\, n does not 
15 divide either A r l or 4,+ l and thus A reveals a breakdown, 

n = pgcdO, A r l)xpgcd(n, /4/+1), resulting from the value of Aj in 
each field : the prime factor or factors dividing A r l on the one 
hand, this or these dividing. ^+1 on the other. 

Examination of the rules of multiplicative composition of 
20 the numbers q. Two numbers {qi,q 2 } give a composite number 
q jxq 2 (mod n), 

- when qi is non trivial and q 2 is trivial, the composite 
number gyxg 2 (niod n ) IS non trivial; it reveals the same 
breakdown as qj. 

25 - when qj and q 2 are non trivial and A\ = ±A 2 The 

composite number qjxq 2 (mod n) is trivial; it does not reveal 

any breakdown. 

- when qj and q 2 are non trivial and Ai * ±z\2, the 
composite number qjxq 2 (mod n) is non trivial; it reveals a 

30 third breakdown. 

Three numbers {<7/,<?2,<?j} give four composite numbers 
[qlxq2, qlxq3, q2xq3, q 1 xq2xq3(mod n)}, that is a total of 
seven numbers; m numbers thus provide 2 m -m-l composite 
numbers, that is a total of 2 m -l numbers. 




We shall now consider a set of generalised GQ2 keys 
comprising i base numbers gj to g L and i private numbers Qj to 
Qi giving i numbers q\ to q t and therefore / numbers A x to A x 
which are the unit roots. Let us try to take into account 
5 another base number g i+] by a private number Q i+] giving a 
number q i+] and thus a root A i+l . 

• The total of the 2 1+1 -1 numbers comprises as many non 
trivial numbers in each of the following cases. 

the root A i+1 is trivial and at least one root A\ to A x is 

10 non trivial. 

The root A i+I is non trivial and figures among the 
2xi roots ±^i and ±A U 

• In the case where the root A i+1 is non trivial and does 
not figure among the 2xi roots ±Aj to ±A h each composite 

15 number where q i+7 figures is non trivial. 

Consequently, when among the m numbers qj to q m , at 
least one is non trivial, more than half the total of the 2 m -l 
numbers are non trivial. 

By definition, it is said that l<f non trivial numbers 

20 {qi,q2t-»qi} are ^dependent relative to the modulus n when 
each of the 2'-/-! corresponding composite numbers is non 
trivial, that is to say that, in total, the 2'-l numbers are all non 
trivial. Each of these 2 / -l numbers thus reveals a different 
breakdown of the modulus n. 

25 - When the / prime factors are distinct, there are 2 /_/ - 1 

breakdowns of the modulus n. Thus, if f-1 numbers q are 
independent, there is a bi-univocal correspondence between 
the 2^-1 breakdowns and a total of 2 /7 -l numbers comprising 
the f-1 independent numbers and the 2 /7 -/ corresponding 

30 composite numbers. 

• Chinese remainders 

Either two numbers a and b y prime numbers between 
themselves such as 0<a<b, and two numbers X a from 0 to a- 1 
and X b from 0 to 6-1; it concerns the determination of the 
35 unique number X from 0 to ajc6-l such that X a =X(mo& a) and 




X b =X(mod b). The number x={fc(mod a)}" 1 (mod a) is the Chinese 
remainders parameter. The elementary Chinese remainders 
operation is given below: 

x = X b (mod a) 
5 y = X fl -x; if y is negative, replace j by y+a 

z = axy (mod a) 

X = zxb + X* 

To resume, one writes : X = Chinese Remainders (X a ,X b ). 
When / prime factors are arranged in increasing order, 
10 from the smallest pi to the biggest p 7 , the Chinese remainder 
parameters can be the following (there is one less than the 
prime factors, that is to say /-l). 

- The first parameter is x= (p 2 (mod Pi)y l (modpj). 

- The second parameter is (3= (pjxp 2 (modp 3 )y l (modpj). 
15 - The *-th parameter is X= (p 7 x ...p/./(mod p / ))" 1 (mod pi). 

- And so on. 

In/-1 elementary operations, one establishes a number X 
from 0 to n-l starting from any set of f components from Xj to 
X f with Xj from 0 to pj-l : 
20 - a first result (mod pi^p 2 ) with the first parameter, 

- then a second result (mod Pixp 2 xp 3 ) with the second 
parameter, 

- until the final result (mod n = p } xp 2 x ...p f ) with the last 
parameter. 

25 To resume, given the prime factors pi to p/, each element 

of the ring of integers modulo n has two equivalent 
representations: 

- / numbers Xj to X f , a prime factor component: 

Xy=X(modp 7 ), 

30 - a number X from 0 to n-l, X=Chinese remainders 

(Xj,X 2 ,...Xf). 

Rank of numbers in CG(p) - Let p be an odd prime 
number and a a number smaller than p i.e. 0 < a < p. By 
definition, the rank of a with respect to p is the period of the 
35 sequence {X} defined by {x t = a; then, for i > 1, x i+r = axx, (mod 
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p)}. By applying the Fermat theorem we obtain: x i+p = a p xx t = 
axxi = x i+1 (mod p). Therefore, the rank of a number a with 
respect to a prime number/? is p-l or a divider of p-l. 

For example, when (p-l)/2 is an odd prime number p', 
5 the Galois field CG(p) includes a number of rank 1: this is 1, a 
number of rank 2: this is -1, p'-l numbers of rank p' and p'-l 
numbers of rank 2xp' = p-l. In CG(p), any number of rank p-l 
is a "generator". The name is due to the fact that the 
successive powers of a generator in CG(p), i.e. the terms of the 

10 sequence {X} for indices from 1 to p'-l, form a permutation of 
all the non-zero elements of CG(p). 

Let y be a generator of CG(p). Let us evaluate the rank of 
the number y' (mod y) according to / and p-l. When i is prime 
with p-l, this is p-l. When i divides p-l this is (p-l)//. In all 

15 cases, this is (p- 1 )/lgcd(p- 1 ,/) (lgcd = largest common 
divisor). 

By definition, Euler's function <p(n) is the number of 
numbers smaller than n and prime with n. In CG(p), there are 
<P(p- 1) generators. 

20 As an illustration, understanding the bases of the RSA is 

facilitated with the rank. Module n is the product of /prime 
factors p-l to p-/, with / > 2. For each prime factor p/ from p 1 
to p f the public exponent e should be prime with p y -l. Now, 
key <e,pj> observes the rank of the elements of CG(pj): it 

25 permutates the elements of CG(pj); there exists a number d p 
generally as small as possible, such that p_i divides exdy { . The 
key <dj, pj> inverts the permutation of the elements of CG(pj). 
These / permutations, one in each field CG(pO to CG(p f ), are 
expressed in the ring of integers modulo n by the RSA 

30 permutation summarized by the public key <e, n>. There exists 
a number d, generally as small as possible, such that the 
smallest common multiple (scm) of (p Uy p 2 -i,.. Pf-i) divides 
dxe-l. For each prime factor pj from p { to p f , we have d } s d 
(mod pj.i). The RSA permutation summarized by the public key 

3 5 <e, n> is inverted by the private key <<i, n> . 
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Squares in CG(p) - Let us define a number t such that 
p-1 is dividable by 2', but not by 2'" 7 . Each large prime number 
appears in one and only one category: f = 1, f = 2, f = 3, f = 4, 
and so forth. If a sufficiently large number of successive prime 
5 numbers are considered, about one out of two appears in the 
first category where p is congruent to 3 (mod 4), one out of 
four in the second one, where p is congruent to 5 (mod 8), 
one out of height in the third one, where p is congruent to 9 
(mod 16), one out of sixteen in the fourth one, where p is 

10 congruent to 17 (mod 32), and so forth; on the average, one 
out of 2' appears in the nth category where p is congruent to 
2 t+1 (mod 2' +/ ). 

Because numbers x and p-x have the same square in 
CG(p), key <2,p> does not permutate CG(/?). The function 

15 "take the square" in CG(p) may be represented by an 
orientated graph wherein each non-zero element of the field 
finds its place. Let us analyze the structure of the graph into 
branches and cycles according to the parity of the rank of 
each element. 

20 - The yero element is set. This is 0. Rank is not 

defined for the zero element to which no other element is 
related; the zero element is isolated. 

The unit element is set. This is 1, the only element 
of rank 1. All the roots of unity in CG(p) are located in the 

25 branch related to 1. Let y be a non-quadratic residue of CG(p), 
any residue; key <p-\)l2\ p> transforms y into a primitive 2'~ 
7 th root of -1 referenced as b\ indeed, we have y (p ' ] 12 = -l(mod 
p). Therefore, in CG(p), the powers of b for exponents from 1 
to 2'~\ are the 2'" 7 roots of unity other than 1: they make up 

30 the branch related to L 

The square of any element of even rank is another 
element the rank of which is divided by two. Therefore, each 
element of even rank is placed in a branch; each branch 
includes a rank number dividable by two, but not by four, 

3 5 next, if t > 2, two rank numbers dividable by four but not by 
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eight, next, if t > 3, four rank numbers dividable by eight but 
not by sixteen, next, if t > 4, eight rank numbers dividable by 
sixteen but not by 32, and so forth. All the branches are 
similar to the branch related to 1; the 2 1 ' 1 leaves of each 
5 branch are non-quadratic residues; each branch includes 2*' ! 
elements and is related to an element of odd rank; there are 
(p-l)/2 / branches which are all of the same length t. 

The square of any element of odd rank other than 
the unit element is another element having the same rank. Key 
10 <2,p> permutates the set of (p-l)/2 r elements of odd rank. 
The permutation is factorized into permutation cycles. The 
number of cycles depends on the factorization of (p-l)/2 / . For 
each divider p' of (/?-l)/2', there is a cycle including the (p(p') 
elements of rank p'. Let us recall that by definition, Euler's 
15 function cp(p') is the number of numbers smaller than p' and 
prime with p\ For example, when p' equals (/?-l)/2',is prime, 
the p'-l numbers of rank p' form a large permutation cycle. 

Figures 1A-1D each illustrate a graph fragment for p 
congruent to 3 (mod 4), 5 (mod 8), 9 (mod 16) and 17 (mod 
20 32), respectively. 

The leaves on the branches are illustrated by white 
circles; these are non-quadratic residues. 

The nodes in the branches are illustrated by grey 
circles; these are quadratic elements of even rank. 
25 - The nodes in the cycles are illustrated as black circles; 
these are quadratic elements of even rank. 
Square roots in CG(p) - Knowing that a is a quadratic 
residue of CG(p), let us see how to calculate a solution to the 
equation x 2 = a (mod p) i.e. "take a square root" in CG(p). Of 
30 course, there are many ways for obtaining the same results; 
pages 31-36 of the book of Henri Cohen, a Course in 
Computation Algebraic Number Theory, published in 1993 by 
Springer in Berlin as volume 138 of the Graduate Texts in 
Mathematics series (GTM 138), may be consulted. 




The number s = (p- 1+2')/2' +/ provides a key <s, /?>) 
which is: 

<(p+l)/4, p> when p is congruent to 3 (mod4), 
<(/?+3)/8, /?> when p is congruent to 5 (mod8), 
5 <(p+7)/16, p> when p is congruent to 9 (mod!6), 

<(p+15)/32, p> when p is congruent to 17 (mod32), 
and so forth. 

Key <s, p> transforms any element of a cycle into 
the previous element in the cycle. When a is of even rank, it is 

10 the solution of odd rank, we name it w. Indeed, in CG(p), w 2 la 
is equal to a to the power of (2x(p- 1 +2')/<2' +/ )-l = "(p-l)/2'. 
The other solution is of even rank; this is p-w. 

Generally, the key <s, p> transforms any quadratic 
residue a in a first approximation, into a solution which we 

15 name r. As a is a quadratic residue, the key <2'~ y , p> certainly 
transforms r 2 /a into 1. To approach a square root of a, let us 
take the power 2*' 2 of r 2 la (mod p) in order to obtain +1 or -1. 
The new approximation remains r if the result is +1 or else it 
becomes b x r (mod p) if the result is -1, knowing that p refers 

20 to any primitive 2'th root of 1 in the field CG(p). Therefore, 
the key <2'~ 2 , p> transforms the new approximation into 1. It 
may still be approached by using the key <2 / J , p> and by 
multiplying with bl (mod p) if necessary, and so forth. 

The following algorithm solves the equation. It uses 

25 numbers a,b,p, rand r, as defined above and two variables: c 
represents the successive corrections and w the successive 
approximations. At the beginning of the algorithm, c = b and w 
= r. At the end of the calculation, the two solutions are iv and 
p-w . 

30 For i from t-2 to 1, repeat the following sequence: 

- Apply key <2 / , p> to number w 3 /a (mod p) in order to 

obtain +1 or -1. 

• - When -1 is obtained, replace w by wxc (mod p). 

- Replace c by c2 (mod p). 




Applicability of the principles - By definition we 
state that a parameter k, a base number g and a prime factor p 
are compatible when the equation x v = g 2 (mod p) where 
exponent v is 2*, has solutions in x in the field CG(/?). Numbers 
5 k and g are small and larger than 1. Number p is a large prime 
number. 

- When t — 1, i.e. p = 3 (mod 4), the equation has two 
solutions. 

- When t = 2, i.e. p = 5 (mod 8), according to the 
10 Legendre symbol of g with respect to p, the equation has four 

solutions if (g \ p) = +1; it does not have any solution if (g \ p) = 
-1. 

- When t > 2, i.e. p = 1 (mod 8), let u be the number such 
that 2" divides the rank of the public number G = g 2 with 

15 respect to p, but such that 2" +; does not divide it; therefore, u 
is equal to one of the numbers from 0 to f-1. The equation has 
no solution if u > 0 and k + u > t\ it has 2 k solutions if k + u < t\ 
it has 2' solutions if u = 0 and A: > t. 

Therefore, there are two types of compatibility according 

20 to whether G is in a cycle, or else in a suitable position in a 
branch. 

When G is in a cycle, i.e. u = 0, regardless of the 
value of k, there is a solution of odd rank in the cycle and 
solutions of even rank disseminated in a = min(£, t) 
25 consecutive branches related to the cycle, i.e. 2 solutions in 
all. Figure 2A illustrates this case with k > t = 3, i.e. a prime 
factor congruent to 9 (mod 16), which imposes that u = 0. 

When G is in a suitable position in a branch, i.e. u > 0 and 
u+k < t, there are 2 k solutions, all of even rank and in the 
30 branch. Figure 2B illustrates this case. 

Given a parameter k, there are therefore two types of 
prime factors according to whether the value of t is less than k 
or else larger than or equal to k. 

For any prime factor p Jy such as t < k, each G £ 
35 should be in a cycle, and there is no solution in the branch 




related to G,-. Let us define a number A itj which is +1 or -1 
according to whether g, or -g,- is in the cycle. There is no 
choice for any of the m numbers Ajj to 4 m j. Figure 3 A 
illustrates a case with t < k: Gi is in a cycle with a prime factor 
5 congruent to 9 (mod 16), i.e. u = 0, r = 3 with & > 3. 

For any prime factor pj such that t > k, each G, 
should be such that u + k < i.e., either in a cycle with u = 0 
or else, in a suitable position in a branch with 1 < u < t-k. Let 
us define a number A it j which is +1 or -1 according to whether 
10 Qij is in the portion of the graph related to gi or to -g h There is 
a choice for each of the m numbers A ]fJ to A mJ ; each number A itJ 
may individually be switched from one value to the other. 
Figure 3B illustrates a case when / > G, is in a branch with a 
prime factor pj congruent to 17 (mod 32), i.e., u = 1, / = 4 

15 with k = 3. 

Each set of / components {Ai j ... A itf } is a square root of 
unity in CG(/? 7 ). This root is trivial or not according to whether 
the / components are equal or not; we then state that the set 
of / components is constant or variable, which expresses the 

20 fact that the number q t is either trivial or not. Therefore, when 
a number q t is non-trivial, the set of / components {A u ... Ay) 
summarizes a factorization of the module. It is therefore 
possible to test the principles before calculating the private 
components Qij. 

25 - When a public number G/ is in a cycle for a prime 

factor pj, the number Ay is +1 or -1, according to whether g/or 
-gi is in the cycle. When pj = 3 (mod 4), this is Legendre's 
symbol: Ajj = (g,-|py). 

When a public number Gj is in a suitable position in 
30 a branch for a prime factor pj, the value to be given to Ay may 
be determined by computing the private component Q lr 

Production of sets of keys - Given a parameter £, 
there are two strategies. 

Either the generator requires / prime factors in 
35 order to determine m base numbers. The first prime numbers: 




2, 3, 5, 7, ... are examined for evaluating their compatibility 
with each of the /large prime factors p t to p f . Although g = 2 is 
not compatible with p s 5 (mod 8), 2 may enter into the 
composition of a base number. Indeed, when two numbers are 
5 in a similar position in a branch, their product is closer to the 
cycle, exactly as a square brings the cycle closer. A base 
number may thereby be obtained by composing the numbers 
which are not appropriate individually. 

Or the generator requires m base numbers and 

10 characteristics of the module such that a bit size (for example, 
512, 768, 1024, 1536, 2048) and a number of bits successive 
to 1 with strong weights (for example, 1, 8, 16, 24, 32) in 
order to determine f> 2 prime factors. Noted as G/, G2,.. G,„, 
the base numbers generally appear among the first prime 

15 numbers: 2, 3, 5, 7, 11 ... or else these are combinations of the 
first prime numbers. Unless indicated otherwise, these are the 
first m prime numbers; G/ =2, G 2 = 3, G 3 =5, G 4 = 7,... Let us 
note that p s 5 (mod 8), is not compatible with g = 2. Module 
n will be the product of / prime factors with close sizes, i.e. 

20 the size assigned to the module divided by f. 

First principle - The parameter £, each prime factor 
from p t to p f and each base number g from gj to g m should be 
compatible. Let us define a number h such as 2 h divides the 
rank of g with respect to p, whereas 2 h+I does not divide it. To 

25 compute the number h, the following procedure uses 
Legendre's symbol (g \ p) and a number b, a primitive 2 l th root 
of unity in CG(p). 

- If (g I p) = + 1 with t = 1, return "h = 0". 

-If (sip) = + 1 with/> 1, apply the key <(p- 1 +2')/2 t+I , p 
30 > to G in order to obtain a result called w. 

If w = + g, return = 0 n . 
If w = p-g, return "h = 1". 
Else, set c to b and for i from t-l to 2, 

- Apply key <2\ p> to wig (mod p) in order to obtain ± 

35 1, 




- If -1, set h to i and replace w with wxc (mod/?), 

- Replace c with c2 (mod p). 

Return "value of h from 2 to t-1". 
If = - 1, return "/i = f". 

5 Let us recall that £, g and p are incompatible when w > 0 

with k+u > /; they are compatible when h = 0 or 1, regardless 
of the value of £, and equally when k > 1 with < /+ 1 . 

Second principle - The three following procedures 
correspond to different implementations of the second 
10 principle. In certain implementations, the second principle 
may be reinforced to the point of requiring that each number 
q } to q m be not trivial. The role of the base numbers is then 
balanced; balancing or not the second principle has an effect 
of certain aspects of the demonstration of the security of the 
15 scheme. Finally, when there are f > 2 distinct prime factors, 
among the m numbers {qi ... <?,„}, it may be required that there 
be at least one subset of f-1 independent numbers. 

The three procedures use mxf numbers 8 itj defined as 

follows. 

20 - When pj is such that t < £, for / from 1 to m, 5 1%/ = 

A ij9 i.e. +1 if hij = 0 and -1 if h itj = 1. 

When pj is such that t > &, for i from 1 to m, 5/j= 0, 
which means that Ajj to A mJ may be selected according to the 
second principle. 

25 A first procedure ascertains that at least one set {8 if] ... 

8 iff } is variable or zero, i.e. that at least one number qj to q m is 
non-trivial or may be chosen as non-trivial. 

For i from 1 to m and j from 1 to /, 
if Si j = 0 or * 5//, return "success". 
30 - Return "failure". 

A second procedure ascertains that each set [Su ... <5//} is 
variable or zero, i.e. that each number qj to q m is non-trivial 
or may be chosen as non-trivial. 
For i from 1 to m, 
3 5 - For j from 1 to /, 




- if 8 it j= 0 or * $/,/, skip to the next 
value of /, 

- Return "failure". 

Return "success". 
5 A third procedure ascertains that each pair of prime factors 
Pjj and pj2, with 1 < jj < j 2 ^ /, there is at least one set {8 }i j ... 
8ij] where Sijj is zero or different from S itj 2. It obviously fails 
when m is smaller than /-l. When it succeeds, among the m 
numbers q } to q m , there is at least one set of independent f- I 
10 numbers with respect to the /prime factors. 

For jj from 1 to/-l and for j 2 from jj + 1 to /, 
For i from 1 to m, 

- If Si j] - 0 or ^ skip to the next values of ji and j 2 , 

Return "failure". 
15 - Return "success". 

When a procedure fails, the generator of GQ2 key sets 
follows its strategy chosen from the two possible strategies: 

Change one of the m base numbers while keeping 
the /prime factors, 
20 - Change one of the /prime factors while keeping the 

m base numbers. 

Third principle - The following procedure determines 
whether the set of generalized GQ2 keys, either during 
production or already produced, is 
25 - either a set of elementary GQ2 keys, i.e. that the 

2xm numbers ± gj to ± g m are all non-quadratic residues, 

or else, a set of complementary GQ2 keys, i.e. that 
among the 2xra numbers ±gj to ±g m9 there is at least one 
quadratic residue. 
30 The procedure uses both Legendre's symbols (gi\pj) and 

Pj) for i from 1 to m and for j from 1 to / 
For i from 1 to m, 
For j from 1 to /, 

If (gilpj) = -1, skip to the next value of i. 
3 5 - Return "set of complementary GQ2 keys". 




For j from 1 to /, 

If (gilpj) = -1» skip to the next value of i. 
Return "set of complementary GK2 keys". 
Return "set of elementary GK2 keys". 
5 Private components - For an equation of the direct type: 

x v = (mod pj) the following computation establishes all the 
possible values for the private component Q itJ . The two 
simplest and most current cases, i.e. t = 1 and t = 2, are 
followed by the more complex case, i.e. t > 2. 
10 For t = 1, i.e. pj a 3 (mod 4), the key <(pj+ 1 )/4,p y > 

provides the quadratic square root of any quadratic residue in 
CG (pj). From this, a number is derived 

Sj = ((pj+l)/4) k (mod (p r l)/2), which gives a key 
<s jy pj> transforming G, into w = G/ 7 (mod p,). Q itj is equal to w 
15 or pj-w . 

For * = 2, i.e. py b 5 (mod 8), the key <(/?y+3)/8, /?/> 
provides the square root of odd rank for any element of odd 
rank in CG(pj). From this, a number is derived Sj = ((p j+3)/S) k 
(mod (py-l)/4), which gives a key <sj,pj> transforming G,- into 

20 w = G/ y (mod pj). Let us note that z = 2 ipj ~ l)/4 (mode pj) is a 
square root of -1 because 2 is a non-quadratic residue in CG 
{pj), Q it j is either equal to w or to pj-w or else to w' = wxz (mod 
pj) or pj-w'. 

For pj e 2'+l (mod 2 /+y ) with f > 2, key 

25 <(/?,- 1 + 2' )/2 / + y , pj> provides the square root of odd rank of 
any element of odd rank. The compatibility test between k, g 
and p gave the value of h, next that of u. 

When Gi is in a cycle (u = 0, regardless of the value 
of a number is established, 

30 sj b ((p y -l + 2 r )/2 r+l ) k (mod (p r l)/2 t ). Key <^-, p 7 > 

transforms G, into the solution of odd rank w = G, SJ (mod 
There are solutions of even rank distributed in min(k, t) 
consecutive branches related to the cycle, let us say, in a 
branches. Q it j is equal to the product of w by any of the 2 th 

35 roots of unity in CG(py). 




When Gj is in a suitable position in a branch (u > 0, u + 
k < 0, all the solutions are in the same branch as G 7 , a branch 
related to a cycle by the 2"th power of the number G,. A 
number is established as 
5 j y s ((p r l+2')/2' + V + " (mod (p r l)/2'. 

Key <^ 7 , p 7 > transforms the 2 u th power of G, into a 
number of odd rank w. The set of products of w with the 
primitive 2* + "th roots of unity in CG(p ; ) comprises the 2 k 
values of Q itj . 

10 When pj is such that t > k, as number bj is a primitive 2 l th 

root of unity in CG(py), the 2 t_u th power of bj in CG(pj) exists; 
this is a primitive 2 k th root of unity. The value of number A itj 
may be switched by multiplying Q it j by a primitive 2 k th root of 
unity. 

15 For an equation of the inverse type: 1 = x v xg ( 2 (mod pj), it 

is sufficient to replace number Sj ^ with ((p j- 1 )/2')-Sj in the key 
<Sj 9 pj>, which amounts to inverting the value of Q itj in CG(p y ). 
Example of a set of keys with two prime factors 
congruent to 5 (mod 8) 

20 Pl 

E6C83BF428689AF8C35E07EDD06F9B39A659829A58B79CD89 
4C435C95F32BF25 

P2 

11BF8A68A0817BFCC00F15731C8B70CEF9204A34133A0DEF8 
25 62829B2EEA74873D 

n = Pj*P2 

FFFF8263434F173D0F2E76B32D904F56F4A5A6A50008C43D32 

B650E9AB9AAD2EB713CD4F9A97C4DBDA3828A3954F296458 

D5F42C0126F5BD6B05478BE0A80ED1 
30 Here are the Legendre symbols of the very first prime 

numbers. 

(2 | Pl ) = -1; (3 | pj) = -1; (5 I Pl ) = +1; (7 I p } ) = -1; 
(lllp;) = +1; (13|p y ) = -1; (\l\pi) = +1; 

In CG(p;), the rank is odd for -5, -11 and 17. 
35 (2|p 2 ) = -l; 0\p 2 ) = +l; (5\p 2 ) = +1; a\p 2 ) = +1; 




(11 \p 2 ) = +1; (13 |p 2 ) = -1; (17|p 2 ) = -1; 

In CG(p 2 ), the rank is odd for 3, -5, 7 and 11. 

Carmichael's function is 

X(n) = scmCO^-W, (p 2 -l)/4). 
5 X(n)=33331A13DA4304A5CFD617BD6F8343 11642 12154 

3334F40C3D57A9C8558555D5BDAA2EF6AED17B9E3794F51A6 
5A1B37239B18FA9B0F618627D8C7E1D8499C1B 

With k = 9, the number a = X(n)-(( 1 +X(rc))/2) 9 
(mod X(n)) is used as a private exponent, in order to use the 
10 generic equations of the inverse type. 
a 

= 01E66577BC997CAC273671E187A35EFD25373ABC9FE6770E 
7446COCCEF2C72AF6E89DOBE277CC6165F1007187AC58028BD 
2416D4CC 1121E7A7A8B6AE186BB4B0 
15 Numbers 2, 3, 7, 13 and 17 are not suitable as base 

numbers. 

Key <o,n> transforms gj = 5 into a private number Qi 
which does not shows any factorization. Indeed, in both fields, 
-5 is on a cycle. 
20 Qi 

818C23AF3DE333FAECE88A71C4591A70553F91D6C0DD5538E 
C0F2AAF909B5BDAD491FD8BF13F18E3DA3774CCE19D0097BC 
4BD47C5D6E0E7EBF6D89FE3DC5 176C 

Key <o,n> transforms g 2 = 11 into a private number Q 2 
25 which shows a factorization. Indeed, 11 is not in the same 
position in both fields; 

Q 2 = 

25F9AFDF177993BE8652CE6E2C728AF31B6D66154D3935AC53 
5196B07C19080DC962E4E86ACF40D01FDC454F2565454F2900 
30 50DA052089EEC96A1B7DEB92CCA7 

Key <a,n> transforms g 3 = 21 = 3x7 into a private 
number Q 3 which shows a factorization. 

Q 3 = 78A8A2F30FEB4A5233BC05541 AF7B684C2406415EA1DD 
67D18A0459A1254121E95D5CAD8A1FE3ECFE0685C96CC7EE86 
3 5 167D99532B3A96B6BF9D93CAF8D4F6AF0 
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Key <G,n> transforms g 4 = 26 = 2x13 into a private 
number Q 4 which shows a factorization. 
Q 4 = 

6F1748A6280A200C38824CA34C939F97DD2941DAD300030E 
5 481B738C62BF8C673731514D1978AF5655FE493D659514A6CE 
897AB76C01E50B5488C5DAD12332E5 

The private key may further be represented by both 
prime factors, the parameter of the Chinese remainders and 
eight private components. 
10 a = 0 2 (mod p ; ))' l (mod p y ) = 

ADE4E77B703F5FDEAC5B9AAE825D 
649E06692D15FBF0DF737B115DC4D012FD1D 
Qi.i = Q/(mod pj) = 

7751AEE918A8F5CE44AD73D613A4F465E06C6F 
15 9AF4D229949C74DD6C18D76FAF 
Q i,2 = Q/(mod p 2 ) = 

A9EB5FA1B2A981AA64CF88C382923DB64376F 
5FD48152C08EEB6114F31B7665F 
Q2,i = <22(mod pi) = 
20 D5A7D33C5FB75A033F2F0E8B20274B957FA3 
4004ABB2C2AC1CA3F5320C5A9049 

Q 22 = <22(mod p 2 ) = 

76C9F5EFD066C73A2B5CE9758DB512DFC011 
F5B5AF7DA8D39A961CC876F2DD8F 
25 Q 3 ,i ^ Q 3 (mod p ,) = 

2FEC0DC2DCA5BA7290B27BC8CC85C938A514 
B8F5CFD55820A174FB5E6DF7B883 

Q3,2= Q 3 (mod pi) = 010D488E6B0A38A1CC406CEE0D55DE59 
013389D8549DE493413F34604A160C1369 
30 Q 4 ,i = e 4 (mod Pl ) = 

A2B32026B6F82B6959566FADD9517DB8ED852 

4652145EE159DF3DC0C61FE3617 

Q 4i2 = Q 4 (mod p 2 ) = 

011A3BB9B607F0BD71BBE25F52B305C22489 
3 5 9E5F1F8CDC2FE0D8F9FF62B3C9860F 
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Polymorphism of the private key GQ2 - The 

different possible representations of the private key GQ2 
prove to be equivalent: they all amount to knowing the 
factorization of the module n which is the actual GK2 private 

5 key. The representation of the GQ2 private key has an effect 

on the progress of the computations within the demonstrating 

entity b ut n ot w ithin the controlling entity. Here are the three 

main representations which are possible for the GQ2 private 
key. 1) The conventional representation of GQ private keys 

10 consists in storing ra private numbers Q t and the public 
checking key <v, n>\ for the GQ2 schemes, this representation 
is in competition with the following two. 2) The optimum 
representation in terms of work loads consists in storing the 
parameter k, the / prime factors p 7 , the rax/ private 

15 components Q it j and the f-1 parameters of the Chinese 

remainders. 3) The optimum representation in terms of 

private key size consists in storing the parameter the m base 
numbers g t and the /prime factors pj, and then in starting each 
use by establishing either m private numbers Q t and the 

20 module n so that it amounts to the' first representation, or rax/ 
private components Q it j and the /-l parameters of the Chinese 
remainders so that it amounts to the second representation. 

Because the security of the dynamic authentication 
mechanism or of the digital signature is equivalent to knowing 

25 a factorization of the module, with the GQ2 schemes, it is not 
possible to distinguish two entities using the same module 
simply. Generally, each proving entity has its own GQ2 module. 
However, GQ2 modules with four prime factors may be 
specified, two of which are known to an entity and the other 

30 two to another one. 

Dynamic authentication - The dynamic 

authentication mechanism is for proving to an entity called a 
controller, the authenticity of another entity called a 
demonstrator as well as the authenticity of a possible 

3 5 associated message M, so that the controller ascertains that it 




is actually dealing with the demonstrator and optionally that 
itself and the demonstrator are speaking of the same message 
M. The associated message M is optional, which means it may 
be empty. 

5 The dynamic authentication mechanism is a sequence of 

four acts: an engagement act, a challenge act, a response act 
and a checking act. The demonstrator plays the engagement 
and response acts. The controller plays the challenge and 
checking acts. 

10 Within the demonstrator, a witness may be 

isolated, in order to isolate the most sensitive parameters 
and functions of the demonstrator, i.e. the production of 
commitments and responses. The witness has the parameter k 
and the GQ2 private key, i.e. the factorization of the module n 

15 according to one of the three representations mentioned 
above: • the /prime factors and the m base numbers, • the mxf 
private components, the / prime factors and the /- 1 
parameters of the Chinese remainders, • the m private 
numbers and the module n. 

20 The witness may correspond to a particular embodiment, 

for example • a chip card connected to a PC forming together 
the demonstrator or even • programs particularly protected 
within a PC or even • programs particularly protected within a 
chip card. The thereby isolated witness is similar to the witness 

25 defined hereafter within the signing entity. Upon each 
execution of the mechanism, the witness produces one or 
more commitments R, and then as many responses D to as 
many challenges d. Each set {R, d, D} forms a GQ2 triplet. 

In addition to it comprising the witness, the 

30 demonstrator also has a hashing function and a message Af, if 
necessary. 

The controller has the module n, for example, from a 
directory of public keys or even from a certificate of public 
keys; if necessary, it also has the same hashing function and a 
35 message AT. The GQ2 public parameters, i.e. numbers k, m and 




gj to g m may be provided to the controller by the 
demonstrator. The controller is able to reconstruct a 
commitment R' from any challenge d and from any response 
D. Parameters k and m inform the controller. Unless indicated 
5 otherwise, the m base numbers from g } to g m are the first m 
prime numbers. Each challenge d should include m elementary 
challenges referenced from dj to d m : one per base number. 
Each elementary challenge from dj to d m is a number from 0 to 
2*" J -1 (numbers from v/2 to v-1 are not used). Typically, each 

10 challenge is coded by m times k-l bits (and not m times k 
bits). For example, with k = 5 and m = 4 base numbers, 5, 1 1 , 
21 and 26, each challenge includes 16 bits transmitted on four 
quartets. When the possible (k-l)xm challenges are equally 
probable, the number (fc-l)xra determines the security 

15 brought by each GQ2 triplet: an impostor who by definition, 
does not know the factorization of the module n, has one 
chance of success out of 2 (k " 1)Xm , exactly. When(M)xm is 
from 15 to 20, one triplet is sufficient for reasonably ensuring 
dynamic authentication. In order to achieve any level of 

20 security, triplets may be produced in parallel; they may also be 
produced in sequence, i.e. repeat the execution of the 
mechanism. 

1) The act of commitment comprises the following 
operations. 

25 When the witness does not use the Chinese remainders, it 

has the parameter k, the m private numbers from Q } to Q m and 
module n\ it randomly and privately picks one or more 
random numbers r (0 < r < n)\ and then by successively 
squaring them k times (mod n), it transforms each random 

30 number r into a commitment R. 

R = r v (mod n) 

Here is an example with the previous set of keys without 
the Chinese remainders. 

r = 
35 5E94B894AC24AF843131F437C1B1797EF562CFA53AB8AD426C 
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1AC016F1C89CFDA13120719477C3E2FB4B4566088E10EF9C010E 

8F09C60D98 15 12 198126091996 

R 

6BBF9FFA5D509778D0F93AE074D36A07D95FFC38F70C8D7E33 
5 0OEBF234FAOBC20A95152A8FB73DE81FAEE5BF4FD3EB7F5EE3E3 
6D7068D083EF7C93F6FDDF673A 

When the witness uses the Chinese remainders, it has the 
parameter k, the first / prime factors from pj to pf, f-\ 
parameters of Chinese remainders and mxf private 
10 components Qjj, it randomly and privately picks one or more 
collections of /random numbers: every collection includes one 
random number r, per prime factor p { (0 < r f < /?,); and then by 
successively squaring it k times (mod pi), it transforms each 
random number r, into a commitment component R h 
15 Ri= r, v (mod pi) 

For each collection of / commitment components, the 
witness establishes a commitment according to the Chinese 
remainder technique. There are as many commitments as 
there are random number collections 
20 R = Chinese remainders^;, R 2 ,. ■■ Rf) 

Here is an example with the previous set of keys and with 
the Chinese remainders. 

ri= 5C6D37F0E97083C8D120719475E080BBBF9F7392F11F3E2 

44FDF0204E84D8CAE 
25 Ri= 3DDF516EE3945CB86D20D9C49E0DA4D42281D07A7607 

4DD4FE20C5C7C5E205DF66 

r 2 = AC8F85034AC78112071947C457225E908E83A2621B0154 
ED15DBFCB9A4915AC3 

R 2 = 01168CEC0F661EAA15157C2C287C6A5B34EE28F8EB4D8D 

30 340858079BCAE4ECB016 

R = Chinese remainders (R^Ra) = 

0AE51D90CB4FDC3DC757C56E063C9ED86BE153B71FC65F47C1 

23C27F082BC3DD15273D4A923804718573F2F05E991487D17 

DAE0AAB7DF0D0FFA23E0FE59F95F0 




In both cases, the demonstrator transmits to the 
controller, either all or part of each commitment R, or else a 
hashing code H obtained by hashing each commitment R and a 
message M. 

5 2) The act of challenge consists in randomly picking 

one or more challenges d, each consisting of m elementary 
challenges dj,d 2 , ... d m \ each elementary challenge d x is one of 
the numbers from 0 to v/2-1. 
d = dj d 2 . . . d m 

10 Here is a challenge for both examples, i.e. with k = 5 

and m = 4. 

dj = 1011 = 11 = 'B'; d 2 =0011 = 3; d 3 = 0110 = 6; d 4 = 1001 = 

9, 

d = dj || d 2 || d 4 = 1011001101101001 = B3 69 
15 The controller transmits each challenge d to the 

demonstrator. 

3) The act of response includes the following 
operations. 

When the witness does not use Chinese remainders, it has 
20 the parameter k, the m private numbers from Qj to Q m and the 
module n\ it computes one or more responses D by using each 
random number r from the commitment act and the private 
numbers according to the elementary challenges. 

D= r s x Qi dl x Q 2 d2 x ... Q m dm (mod p t ) 
25 Here is the continuation of the example without the 

Chinese remainders. 
D = 

027E6E808425BF2B401FD00B15B642B1A8453BE8070D86C0A7 
870E6C1940F7A6996C2D871EBE611812532AC5875E0E116CC8 

3 0 B A648FD8E86BE0B2ABCC3CCBBBE4 

When the witness uses Chinese remainders, it has the 
parameter k, f prime factors from p 2 to p f , the /-l Chinese 
remainder parameters and mxf private components <2 ZJ ; it 
computes one or more collections of / response components 

3 5 by using each collection of random numbers from the 




commitment act: each collection of response components 
includes one component per prime factor. 

D= r, x Q u dl x Q 2J d2 x ... Q mJ dm (mod Pi ) 
For each collection of response components, the witness 
5 establishes a response according to the Chinese remainder 
technique. There are as many responses as there are 
challenges. 

D= Chinese remainders(D/, £> 2 ,... Df) 

Here is the continuation of the example without the Chinese 
10 remainders. 

Dl = r, x Q M dl x Q 2J d2 x Q 3 ,, d3 x Q 4il « (mod Pl ) 
C71F86F6FD8F955E2EE434BFA7706E38E5E715375BC2CD2029A 
4BD572A9EDEE6 

D2 = r 2 x Q K2 dl x Q 2 , 2 d2 x Q 32 d3 x Q 4 . 2 d4 (mod p 2 ) 
15 0BE022F4A2O523F98E9F5DBECOE10887902F3AA48C864A6C354 
693AD0B59D85E 

90CE7EA43CB8EA89ABDD0C814FB72ADE74F02FE6F098ABB98C 
8577A660B9CFCEAECB93BE1BCC356811BF12DD667E2270134C 
20 9073B9418CA5EBF5191218D3FDB3 

In both cases, the demonstrator transmits each response 
D to the controller. 

4) The act of checking consists in checking that each 
triplet {R, d, D) satisfies an equation of the following type for a 
25 non-zero value. 

RxY[Gf l = D 2 (mod n) or else R = D 2 xf|G^ (mod n) 
/=i /=i 

or, in restoring each commitment : none of them must be 

30 zero. 

A- m k m 

R'=D 2 /Y[ G ?' ( mod n ) or else R'=D 2 ><Yl G ? (mod n) 
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Optionally, the controller then computes a hashing code 
H f by hashing each restored commitment R' and the message 
M\ Dynamic authentication is successful when the controller 
thus retrieves what it has received at the end of the 
5 commitment act, i.e., all or part of each commitment R, or the 
hashing code H. 

For example, a sequence of elementary operations 
transforms response D into a commitment R'. The sequence 
comprises k squares (mod n) separated by k-l divisions or 

10 multiplications (mode n) by base numbers. For the i-th 
division or multiplication, which is performed between the i-th 
square and the i+l-th square, the i-th bit of the elementary 
challenge d u indicates if gj must be used, the i-th bit of the 
elementary challenge d 2 indicates if g 2 must be used, ... up to 

15 the i-th bit of the elementary d m which indicates if g m must be 
used. 

Here is the end of the example without the Chinese 
remainders. 
D = 

20 027E6E808425BF2B401FD00B15B642B1A8453BE8070D86C0A7 
870E6C1940F7A6996C2D871EBE611812532AC5875E0E116CC8 
BA648FD8E86BE0B2ABCC3CCBBBE4 
Take the square modulo n: 

88BA681DD641D37D7A7D9818D0DBEA82174073997C6C32F7 
25 FCAB30380C4C6229B0706D1AF6EBD84617771C31B4243C2F0 
376CAF5DCE B644F098FAF3B1EB49B39 
Multiply by 5 times 26 = 130, i.e..'82' modulo n\ 
6ECABA65A91C22431C413E4EC7C7B39FDE14C9782C94FD6FA3 
CAAD7AFE192B9440C1113CB8DBC45619595D263C1067D3D0 
30 A840FDE008B415028AB3520A6AD49D 
Take the square modulo n: 

0236D25049A5217B13818B39AFB009E4D7D52B17486EBF844 
D64CF75C4F652031041328B29EBF0829D54E3BD17DAD21817 
4A01E6E3AA650C6FD62CC274426607 
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Multiply by 21, i.e. '15' modulo n 
2E7F40960A8BBF1899A06BBB6970CFC5B47C88E8F115B5DA59 
4504A92834BA405559256A705ABAB6E7F6AE82F4F33BF9E912 
27FOACFA4A052C9 1 ABF389725E93 
5 Take the square modulo n: 

B802171179648AD687E672D3A32640E2493BA2E82D5DC87D 
BA2B2CC0325E7A71C50E8AE02E299EF868DD3FB916EBCBC0C5 
569B53D42DAD49C956D8572E1285BO 

Multiply by 5 times 11 times 21 = 1155, i.e. '48 3' 
10 modulo n: 

33055602763 10DEFEC1337EB5BB5810336FDB28E91B350D485 
B09188E0C4F1D67E68E9590DB7F9F39C22BDB4533013625011 
248A8DC417C667B419D27CB11F72 

Take the square modulo n: 
15 8871C494081ABD1AEB8656C38B9BAAB57DBA72A4BD4EF902 
9ECBFFF540E55138C9F22923963151FD0753145DF70CE22E9D0 
19990E41DB6104005EEB7B 1170559 

Multiply by 5 times 11 times 26 = 1430, i.e. '5 96' 
modulo n: 
20 2CF5F76EEBF128A0701B56F837FF68F81A6A5D175D0AD67A14 
DAEC6FB68C362B1DC0ADD6CFC004FF5EEACDF794563BB09A1 
7045ECFFF88F5 1 36C7FBC825BC50C 

Take the square modulo n: 

6BBF9FFA5D509778D0F93AE074D36A07D95FFC38F70C8D7E33 
25 00EBF234FA0BC20A95 152A8FB73DE8 1FAEE5BF4FD3EB7F5EE3E3 
6D7068D083EF7C93F6FDDF673A 

The commitment r is retrieved. Authentication is 
successful. 

Here is the end of the example with the Chinese 
30 remainders. 
D = 

90CE7EA43CB8EA89ABDD0C814FB72ADE74F02FE6F098ABB98C 
8577A660B9CFCEAECB93BE1BCC356811BF12DD667E2270134C 
9073B9418CA5EBF5 19121 8D3FDB3 
35 Take the square modulo n : 
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770192532E9CED554A8690B88F16D013010C903172B266C11 
33B136EBE3EB5F13B170DD41F4ABE14736ADD3A70DFA43121 
B6FC5560CDD4B4845395763C792A68 

Multiply by 5 times 26 = 130, i.e. '82' modulo n: 
5 6EE9BEF9E527 13004971ABB9FBC3 1 1453 1 8E2A703C8 A2FB3E144 
E7786397CD8D1910E70FA86262DB771AD1565303AD6E4CC6E 
90AE3646B461D3521420E240FD4 

Take the square modulo n: 
D9840D9A8E80002C4D0329FF97D7AD163D8FA98F6AF8FE2B21 
10 60B2126CBBDFC734E39F2C9A39983A426486BC477F20ED2CA5 
9E664C23CA0E04E84F2F0AD65340 

Multiply by 21, i.e. '15' modulo n: 
D7DD75 16383F78944F2C901 16E1BEE0CCDC8D7CEC5D7D1795 
ED33BFE8623DB3D2E5B6C5F62A56A2DF4845A94F32BF3CAC36 
15 0C7782B5941924BB4BE91F86BD85F 

Take the square modulo n: 
DD34020DD0804C0757F29A0CBBD7B46A1BAF949214F74FDFE 
021B626ADAFBAB5C3F1602095DA39D70270938AE362F2DAE0 
B9 148553 10C75BCA328A4B2643DCCDF 
20 Multiply by 5 times 11 times 21 = 1155, i.e. '48 3' 

modulo n: 

038EF55B4C826D189C6A48EFDD9DADBD2B63A7D675A0587C 
8559618EA2D83DF552D24EAF6BE983FB4AFB3DE7D4D254519 
0F1B 1F946D327A4E9CA258C73A98F57 

25 Take the square modulo n: 

D1232F50E30BC6B7365CC2712E5CAE079E47B971DA03185B33 

E918EE6E99252DB3573CC87C604B327E5B20C7AB920FDF142A 

8909DBBA1C04A6227FF18241C9FE 

Multiply by 5 times 11 times 26 = 1430, i.e. '5 96' 

30 modulo n: 

3CC768F12AEDFCD4662892B9174A21D1F0DD9127A54AB63C 
984019BED9BF88247EF4CCB56D71E0FA30CFB0FF28B7CE45556 
F744C1FD75 1BFBCA040DC9CBAB744 
Take the square modulo n: 




0AE51D90CB4FDC3DC757C56E063C9ED86BE153B71FC65F47C1 

23C27F082BC3DD15273D4A923804718573F2F05.E991487D17 

DAE0AAB7DF0D0FFA23E0FE59F95F0 

The commitment r is retrieved correctly. Authentication 
5 is successful. 

Digital signature 

The digital signing mechanism enables an entity called a 
signing entity to produce signed messages and an entity called 
controller to ascertain signed messages. Message M is any 

10 binary sequence: it may be empty. The message M is signed by 
adding a signature appendix to it, which comprises one o r 
more commitments and/or challenges, as well as the 
corresponding responses. 

The controller has the module n, for example, from a 

15 directory of public keys or even from a certificate of public 
keys; it also has the same hashing function. The GQ2 public 
parameters, i.e. numbers k, m and g } to g m may be given to the 
controller by the demonstrator, for example by putting them 
in the signature appendix. 

20 Numbers k and m inform the controller. Each elementary 

challenge from d } to d m on the one hand is a number from 0 to 
2*~ 7 -l (numbers v/2 to v-1 are not used). Each challenge d on 
the other hand should include m elementary challenges 
referenced from d } to d m , as many as there are base numbers. 

25 Further, unless indicated otherwise, the m base numbers, from 
gj to g m are the first m prime numbers. With (M)xm being 
from 15 to 20, it is possible to. sign with four GQ2 triplets 
produced in parallel; with (k-l)xm being 60 or more, it is 
possible to sign with only one GQ2 triplet. For example, with k 

30 =9 and m = 8, only one GQ2 triplet is sufficient; each 
challenge includes eight bytes and the base numbers are 
2,3,5,7,11,13,17 and 19. 

The signing operation is a sequence of three acts: a 
commitment act, a challenge act and a response act. Each act 
3 5 produces one or more GQ2 triplets each comprising: a 




commitment r 0), a challenge d consisting of m elementary 
challenges referenced by d\, d 2 , ... d m and a response D O 0). 

The signing entity has a hashing function, the parameter 
k and the GQ2 private key, i.e., the factorization of the module 
5 n according to one of the three representations mentioned 
above. Within the signing entity, it is possible to isolate a 
witness which executes the commitment and response acts in 
order to isolate the most sensitive functions and parameters of 
the demonstrator. In order to compute commitments and 

10 responses, the witness has the parameter k and the GQ2 
private key, i.e., the factorization of the module n according to 
one the three representations mentioned above. The thereby 
isolated witness is similar to the witness defined within the 
demonstrator, it may correspond to a particular embodiment, 

15 for example, • a chip card connected to a PC forming together 
the signing entity or even • programs particularly protected 
within a PC, or even, • programs particularly protected within a 
chip card. 

1 ) The act of commitment comprises the following 
20 operations. 

When the witness has the m private numbers Qj to Q m 
and the module n, it randomly and privately picks one or more 
random numbers r (0 < r < n)\ and then, by k successive 
squarings (mode n), it transforms each random number r into 
25 a commitment R. 

R s r v (mod n) 

When the witness has / prime factors from pi to pj and 
mx/ private components Qjj. it randomly and privately picks 
one or more collections of / random numbers: each collection 
30 includes a random number r, per prime factor p, (0 < r f - < /?;); 
and then k successive squarings (mod /?,), it transforms each 
random number r, into a commitment component R h 

Ri s n v (mod pd 
For each collection of / commitment components, the 
35 witness establishes a commitment according to the Chinese 




remainder technique. There are as many commitments as 
there are random number collections. 

r= Chinese remainders (R ]f R 2 > Rf) 

2) The act of challenge consists in hashing all 
5 commitments r and the message m to be signed in order to 

obtain a hashing code from which the signing entity forms one 
or more challenges each comprising m elementary challenges; 
each elementary challenge is a number from 0 to v/2-1; for 
example, with k = 9 and m = 8, each challenge includes eight 
10 bytes. There are as many challenges as there are commitments. 
d = d lf d 2 , ... d m9 extracted from the Hash(M, R) result 

3) The act of response includes the following 
operations. 

When the witness has m private numbers Q lf to Q m> and 
15 module n, it calculates one or more responses D by using each 
random number r of the commitment act and the private 
numbers according to the elementary challenges. 

X = Qt di x Q 2 d2 x ... Q m dm (mod ri) 
D = r xX (mod n) 

20 When the witness has /prime factors from pj to p f and 

mxf prime components Q it j f it calculates one or more 
collections of / response components by using each collection 
of random numbers from the commitment act; each collection 
of response components includes one component per prime 

25 factor 

X ^ Q u dl x Q 2(i d2 x ... Q m ,i dm (mod Pi ) 
Di = r, x Xi (mod pi) 
For each collection of response components, the witness 
establishes a response according to the Chinese remainder 
30 technique. There are as many responses as there are 
challenges. 

D = Chinese remainders (D If D 2 , ... D f ) 

The signing entity signs the message M by adding a 
signature appendix comprising : 




either each GQ2 triplet, i.e., each commitment /?, 
each challenge d and each response D, 

or each commitment R and each corresponding 
response £>, 

5 - or each challenge d and each corresponding 

response D. 

The running of the verification operation depends 
on the contents of the signature appendix. Three cases are 
distinguished. 

10 Should the appendix comprises one or more 

triplets, the checking operation includes two independent 
processes for which chronology is indifferent. The controller 
accepts the signed message if and only if, both following 
conditions are satisfied. 

15 Firstly, each triplet must be consistent (an appropriate 

relationship of the following type has to be verified) and 
acceptable (the comparison has to be done on a non-zero 

value>L " , " 

RxJjGfi = D 2 * (mod n) or else R = D 2 *JJg; (m ° d n) 

i=i <=i 

20 For example, the response D is converted by a sequence 

of elementary operations: k squares (mod n) separated by k-l 

multiplication or division operations (mod n) by base 

numbers. For the i-th multiplication or division which is 

performed between the i-th square and the /+ 1st square, the i- 

25 th bit of the elementary challenge dj indicates whether it is 
necessary to use g h the i-th bit of the elementary challenge d 2 
indicates whether it is necessary to use g 2 , ... up to the i-th bit 
of the elementary challenge d m which indicates if it is 
necessary to use g m . It is thus necessary to retrieve each 

30 commitment R present in the signature appendix. 

Furthermore, the triplet or triplets must be linked to the 
message M. By hashing all the commitments R and the 
message M, a hashing code is obtained from which each 
challenge d must be recovered. 
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d = dj d 2 ...d m , identical to those extracted from the result 
Hash(M, R). 

If the appendix has no challenge, the checking 
operation starts with the reconstitution of one or more 
5 challenges d' by hashing all the commitments R and the 
message M . 

d = d'j d' 2 ... d' m , extracted from the result Hash(M, R). 

Then, the controller accepts the signed message if and 
only if each triplet is consistent (an appropriate relationship of 
10 the following type is verified) and acceptable (the comparison 
is done on a non-zero value). m 

Til -w» m 

' RxTTg?* = D 2k ( mod n > or else R = D ~ x li G i i (mod n) 

11 ' - f - =1 

Should the appendix comprise no commitment, 

the checking operation starts with the reconstitution of one or 
15 more commitments R' according to one of the following two 
formulae, namely the one that is appropriate. No re- 
established commitment should be zero. 

*'= D2 * /JjGfi ( m ° d W > ° r elSe R '= Dl X Yl G f i (m ° d } ^ 
1 = 1 '=1 

Then, the controller must hash all the commitments R' and the 
20 message M so as to reconstitute each challenge d. 

d = dj d 2 ... d my identical to those extracted from the 
result Hash (M, i? f ). 

The controller accepts the signed message if and only if 
each reconstituted challenge is identical to the corresponding 
25 challenge in the appendix. 



